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W  MICROSOFT’S  CIO:  THE  QUESTIONS,  THE  ANSWERS 


THE  RESOURCE  FOR  INFORMATION  EXECUTIVES 


THE  CPAs  ARE  COMING! 

9  Strategies  for 
Winning  Over  Your 
Company’s  Auditors 

Page  76 

UTILITY  COMPUTING 

Not  Yet  Plug  and  Pay 

Page  68 
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WHAT  TO  DO  WHEN 

UNCLE  SAM 
WANTS 
YOUR  DATA 

HOW  TO: 

>  Respond  to  the  Patriot  Act 

>  Limit  Liability 

>  Protect  Your  Customers  Page  56 


Charlie  Lathram,  VP  for  security  at 
BellSouth,  last  year  received  32,370 
subpoenas  and  636  court  orders  for 
customer  information.  "We  ask  the  court 
to  narrow  the  scope,”  he  says. 
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Schrage  on  Balancing 
Security  and  Trust 

Page  44 


Where  is  it  written  that  the  race  belongs  to  the  large? 
At  META  Group,  we  believe  the  race  belongs  to  the  IT 
advisory  firm  that  delivers  the  highest-value  research 
and  guidance.  Quite  simply,  research  and  guidance  that 
can  be  used  profitably  and  deliver  a  return  on  investment. 
We  are  told  by  clients  that  what  separates  us  is  that  we 
deliver  practical,  incisive  research  that  can  actually  be 
used:  high-value,  in-context  intelligence  backed  by  an 
increasingly  unique  strategy — human-to-human  contact. 
Experience  the  difference.  Call  us  at  800-945-META 
or  visit  metagroup.com. 
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For  those  of  you  who  need  a  little  help  convincing  your  C.E.O.  that 
BEA  is  the  right  choice  for  your  business,  please  use  this  handy  form. 


©  2003  BEA  Systems.  Inc.  BEA  and  WebLoglc  are  registered  trademarks  of  BEA  Systems,  Inc.  All  other  company  names  are  trademarks  of  their  respective  owners. 


(YOUR  C.E.O.) 


Dear 


I  recommend  that  we  use  the 
BEA  WebLogic®  Enterprise  Platform 
for  all  future  software  integration. 

While  you  may  not  have  heard  of 
BEA,  they  offer  the  only  platform 
that  is  both  strong  enough  to 
handle  our  mission-critical  projects 
and  is  easier  to  use.  I  acknowledge 
that  I  am  accountable  for  my 
actions,  and  am  fully  prepared  to 
take  the  fall  for  this  decision. 

But  when  this  works,  you  owe 
me  big. 


Sincerely, 


(YOU) 
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Cover  Story 

DATA  PRIVACY  I  56 

What  to  Do  When 
Uncle  Sam  Wants 
Your  Data 

As  the  czars  of  data,  CIOs  better  be  prepared  when 
the  FBI  knocks  on  their  doors.  The  first  article  in  our 
new  series  “Playing  by  New  Rules:  Your  Risks  and 
Responsibilities.”  By  Ben  Worthen 
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Features 

UTILITY  COMPUTING 
Plug  and  Pay  I  68 

Utility  computing  promises  processing  power  when  you  need  it, 
where  you  need  it.  But  the  technology  isn’t  making  sparks  fly  yet. 
By  Fred  Hapgood 


J.C.  Penney  IT  Audit  Manager 
Ken  Askelson  (left)  meets 
early  and  often  to  talk  about 
new  system  rollouts  with  CIO 
Steve  Raish.  "Our  early 
participation  helped  ensure 
data  validity  and  integrity," 
Askelson  says  in  “The 
Auditors  Are  Coming." 
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Charlie  Lathram,  BellSouth’s  VP  for  security  and  business  controls, 
receives  about  100  requests  a  day  from  law  enforcement  agencies. 
“Government  agents  don't  know  what  they  need  yet,”  he  says. 


CORPORATE  AUDITS 
The  Auditors  Are  Coming,  the  Auditors 
Are  Coming.. .and  That  Could  Be  Good 
News  for  You  I  76 

Corporate  accountability  has  Washington’s  attention,  and  now 
the  auditors  have  their  pencils  sharpened  for  IT  processes  and 
projects.  Here  are  nine  strategies  for  working  with  auditors 
before,  during  and  after  an  accounting  exam.  By  Geoffrey  James 

SECURITY 

The  Pirates  Among  Us  I  86 

The  entertainment  industry  is  battling  the  illegal  distribution  of 
copyrighted  music  and  movie  files — and  will  stop  at  nothing  to 
enlist  your  help.  By  Sarah  D.  Scalet 

Q&A  I  RICK  DEVENUTI 
The  Earliest  Adopter  I  94 

Microsoft’s  IT  boss  is  the  first  to  install,  the  first  to  deploy  and  the 
first  to  judge.  Consequently,  he’s  learned  a  little  bit  about  rollouts. 


Does  your  software  let  you  access  the  most  current  financial  information? 

Ours  does. 

When  you  need  critical  information,  you  need  it  now.  That's  why  more  and  more  financial  organizations 
are  turning  to  CleverPath"  Computer  Associates'  information  management  solutions.  CleverPath  lets  you 
find  data  immediately,  not  eventually.  And  it  provides  you  with  analysis  tools  to  help  predict  the  best 
course  of  action  for  the  future.  Best  of  all,  CleverPath  solutions  can  be  up  and  running  in  weeks,  not 
months.  To  find  out  more,  contact  us  today.  ca.com/cleverpathl 


CleverPath"  Information  Management  Solutions 


©  2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 


Columns 

TOTAL  LEADERSHIP 
Hidden  Assets  I  40 

Strategies  for  managing  your  intangible 
leadership  “capital.” 

By  Christopher  Hoenig 

MAKING  I.T.  WORK 
What  Price  Security?  I  44 

It’s  up  to  the  company,  not  the  CIO, 
to  decide  how  much  trust  is  too  much. 

By  Michael  Schrage 

CAREER  COUNSEL 
A  12-Step  Program 
for  Aspiring  CIOs  I  100 

Mattress  Giant’s  CIO  suggests  a  path 
to  the  big  chair.  By  Steve  Williams 

Sections 

TRENDLINES  I  26 

Internet  sales  taxes;  Best  practices  pulled 
from  a  crisis;  CIOs’  survival  tips  for  tight 
times;  High-tech  garbage.  And  more 

OFF  THE  SHELF  I  30 

Good  Business:  Leadership,  Flow  and  the 
Making  of  Meaning-,  The  new  bookshelf; 
CIO  Best-Sellers 


NEW  in  CIO 

REAL  VALUE  I  50 

By  Jack  Keen 

Plugging  Leaky 
Business  Cases 

An  airtight  business  case  is  an 
important  step  toward  ensuring  the  IT 
project  payoff.  Good  ones  cut  through 
value  ambiguity.  Bad  ones  confuse  value 
fact  and  value  fantasy.  The  new  column 
by  author  and  value  guru  Jack  Keen. 


WASHINGTON  WATCH  I  34 

Report  finds  Wall  Street  still  vulnerable 
to  disaster. 

EMERGING  TECHNOLOGY  I  104 

Open-source  development  tools  offer 
low-cost,  high-quality  options. 

By  Dylan  Tweney 

UNDER  DEVELOPMENT  I  110 

The  technology  exists  for  power  line 
broadband,  but  it  still  faces  hurdles. 

PUNDIT  I  112 

Maria  Martinez  says  it’s  time  to  prep  your 
organization  for  the  extended  Internet. 


In  Every  Issue 

FROM  THE  EDITOR 
New  Rules— New  Risks 
for  CIOs  I  14 

The  legislative  landscape  has  changed — 
and  the  stakes  couldn’t  be  higher. 

By  Abbie  Lundberg 

INBOX  I  18 

Reader  feedback 

INDEX  I  114 

EXECUTIVE  SUMMARY  I  116 

Abstracts  of  all  the  feature  stories  found 
in  this  issue. 


“It  isn’t  up  to  IT  to  define  what  ‘trust’ 
means  or  what  it’s  financially  worth. 
That’s  the  job  of  the  entire  organization.” 

-Michael  Schrage,  Making  IT  Work  columnist,  on  security  Page  44 
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reach 

AVAVA 

a  higher  plane 
of  communication 


THE  PRESSES  CAN'T  STOP  when  a 

newspaper  moves  to  IP  telephony.  So 

The  Seattle  Times  tapped  Avaya  for  a 

high-performance  voice  and  data  network 

as  reliable  as  voice  alone. 

In  the  state  of  Avaya,  you  get  to  IP  telephony 

on  your  own  path,  at  your  own  pace.  And 

here’s  the  really  big  news:  for  the  cost  of  a 

standard  PBX  upgrade.  Avaya  Enterprise  Class 

IP  Solutions  (ECLIPS),  powered  by  Avaya 

Multi  Vantage™  Software,  are  standards-based. 

They’re  open  to  evolving  your  existing 

network.  They’ll  even  play  nice  with  your 

multi-vendor  environment.  The  Seattle  Times 

saved  over  $180,000  in  related  costs  the  first 

year  alone.  Without  missing  a  deadline.  Visit 

avaya.com/ip  to  access  our  ROI  tools  for 

IP  telephony.  Or  call  866-GO  AVAYA. 

IP  Telephony 

Contact  Centers 

Unified  Communication 

Services 

Seattle  Timed  goe& 


Read  all  about  it  in 


©  2003.  Avaya  Inc.  All  Rights  Reserved. 

Avaya,  the  Avaya  Logo,  and  all  trademarks  identified  by  ®  or TV  are  trademarks  of  Avaya  Inc.  and  may 
be  registered  in  certain  jurisdictions.  All  other  trademarks  are  the  property  of  their  respective  owners. 


RUNNING  FIREWALL,  so  you  can  share 
company  information  without  uninvited  guests. 


WHY  NOT  START  BUILDING  THE  DATA  OENTER 
OF  TOMORROW,  TODAY? 

The  new  Sun  Fire™  Blade  Platform  and  N1  technology  represent  a  fundamental  shift  in  how  data  centers 
are  built  and  managed.  Now  computing,  networking  and  storage  components  can  be  virtualized  and 
operated  as  a  single,  shift-on-the-fly  system. The  result:  a  far  more  efficient  computing  environment  with 
dramatically  reduced  cost  and  complexity. 

The  future  of  the  data  center  starts  here,  with  the  Nl-enabled  Sun  Fire  Blade  Platform. 

Based  on  open  standards,  the  new  Sun  Fire  Blade  Platform  is  the  only  platform  designed  to  integrate 
SPARC®/Solaris™  and  x86  Linux/Solaris  Blades,  as  well  as  special  function  blades,  into  a  single  blade  shelf. 
It  also  seamlessly  integrates  with  network  attached  storage,  like  the  new  Sun  StorEdge™3310  NAS.  Add  the 
N1  Provisioning  Server,  part  of  our  revolutionary  new  IT  architecture,  and  you  can  virtualize  your  blade 
computing  resources  and  quickly  respond  to  changes  in  demand,  or  change  services  on  demand. 

With  the  Sun  Fire  Blade  Platform  and  N1,  you’re  not  just  managing  cost  and  complexity.  You’re  driving  it 
out.  Bottom  line:  You’re  starting  to  make  your  data  center  work  overtime,  instead  of  your  people. 


©2003  Sun  Microsystems,  Inc.  All  rights  reserved.  Sun,  Sun  Microsystems,  the  Sun  logo,  Sun  Fire,  Solaris  and  Sun  StorEdge  are  trademarks  or  registered  trademarks  of  Sun 
Microsystems,  Inc.  in  the  United  States  and  other  countries.  All  SPARC  trademarks  are  used  under  license  and  are  trademarks  or  registered  trademarks  of  SPARC  International, 
Inc.  in  the  United  States  and  other  countries.  Products  bearing  SPARC  trademarks  are  based  on  an  architecture  developed  by  Sun  Microsystems,  Inc. 


SUN’S  NEW  N1  PROVISIONING  SERVER 

software  enables  you  to  dynamically 
reallocate  resources,  so  you  can  deploy 
new  services  as  needed. 


LOAD  BALANCING  BLADES,  the  next 
innovation:  so  there’s  no  holdup  in  getting 
your  COO  the  latest  supply  chain  reports. 


SSL  PROXY  BLADE,  soon  to  be 
released,  lets  Tim  Malone  access 
sales  figures,  but  not  inventory. 


RUNNING  SUN™  ONE  WEB  SERVER  by  day  and 

accounts  payable  by  night,  so  you  can  close 
the  quarter  without  cutting  off  customers. 


LEARN  MORE  ABOUT  THE  NEW  SUN  FIRE  BLADE  PLATFORM 
AND  SEE  SUN’S  ENTIRE  LINE  OF  COMPETITIVELY  PRICED  SERVERS. 

Visit  sun.com/whynot 


We  make  the  net  work. 


Interactive  features  from  April  15  to  April  30 


WEIGH  IN 

How  private  is  your  data 
(and  what  are  you  doing 
about  it)? 

The  government  wants  your  corporate  data,  and  under  new  legislation 
passed  in  the  shadow  of  Sept.  11,  it  has  a  right  to  it  (see  What  to  Do 
When  Uncle  Sam  Wants  Your  Data,  Page  56).  You  might  compromise 
customers’  privacy  to  fulfill  new  government  mandates  if  you  don’t  have 
the  right  language  in  your  privacy  statements  or  the  proper  process  for 
handling  data  requests.  CIOs  from  data-sensitive  industries  such  as 
finance,  telecom  and  travel  have  already  confronted  this  challenge. 

Have  you?  Weigh  In  with  your  experiences  and  lessons  at 
comment.cio.com/weighin. 

For  links  to  these  pieces,  go  to  the  WEB  CONNECTIONS  box  at  www.cio.com. 


OUR  DAILY  WEB 

MONDAY  TechTact  Technology  Editor  Christopher 
Lindquist  covers  what’s  coming. 

TUESDAY  Alarmed  Security  experts  Sarah  Scalet  and 
Scott  Berinato  give  you  something  new  to  worry  about. 

Wednesday  Metrics  Web  Writer  Jon  Surmacz  makes 
sense  of  the  numbers. 

THURSDAY  Sound  Off  Web  Editorial  Director  Art  Jahnke  opines  on  managerial, 
political  and  ethical  dilemmas. 

FRIDAY  The  Big  Picture  Charts  and  graphs  that  are  worth  a  thousand  words. 


Award  Applications 

Since  1993,  CIO  has  honored 
companies  for  exemplary  use  of  IT 
that  has  added 
true  value  to  their 
organizations. 
Apply  now  for  a 
prestigious  2004 
CIO  Enterprise 
Value  Award.  Applications  are 
available  online  until  May  15  at 
www.cio.  com/ a  wa  rds/e  va . 


Peer  Resources 
from  C/O’s  Sister 
Publications 

■  While  you’re  trying  to  push  utility 
computing  (see  Plug  and  Pay,  Page 
68),  are  you  stuck  explaining  the 
basic  distributed  computing 
concept  to  your  nontechnology 
peers?  Send  them  to  www.darwin 
mag.com  to  read  The  Next  New  IT 
Model,  which  explains  the  basics. 

■  Open  source  is  being  greeted  with 
somewhat  open  arms  by  CIOs  (see 
Build  It  Free,  Emerging  Technology, 
Page  104).  One  reason  might  be 

its  alleged  lack  of  security.  But,  as 
CSO  magazine  points  out  in  The 
Open-Source  (Non)Debate,  be 
wary  of  where  that  information 
comes  from.  Find  the  article  at 
www.csoonline.com. 


EDITOR’S  PICK 

That’s  Right:  One  Billion  Dollars 

Linux  and  Unix  vendor  SCO  claims  that  IBM  stole  its  intellectual 
property  and  built  it  into  Linux.  SCO  wants  IBM  to  pay— to  the 
tune  of  $1  billion.  The  lawsuit  is  trouble  enough  for  IBM,  but  it 
could  also  be  bad  news  for  Linux.  Learn  why  in  SCO  vs.  Linux,  in 
Technology  Editor  Chris  Lindquist’s  Tech  Tact  column. 

-Art  Jahnke,  Web  Editorial  Director 


The  Print-Web 
Connection 

Looking  for  more  resources  referred 
to  in  the  stories  in  this  or  past  issues 
of  CIO ?  Check  out  Printlinks  online 
( www.cio.com/printlinks ),  your 
print-Web  connection. 
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Oracle 

$60  Per  User 

MS  Outlook- User  Interface 
Email 
Calendar 
Voice  Mail 

Wireless  Access  Included 
Oracle  Database  Email  Server 
Unbreakable 
Enterprise  File  Sharing 
Linux,  Unix,  Windows 

Safe  and  secure  at  half  the  cost. 

Say  goodbye  to  viruses. 


Microsoft 

$126  Per  User 

MS  Outlook- User  Interface 
Email 
Calendar 
No  Voice  Mail 
Wireless  Access  Extra 
Microsoft  Exchange  Email  Server 
Virus  Epidemic 
Workgroup  File  Sharing 
Windows  Only 

Costs  more,  but  you  also  get 
Melissa,  Snow  White,  Michelangelo... 


ORACLE 


Oracle  Collaboration  Suite:  US$60/user  Oracle.COm/collaborate 

Microsoft  Exchange  2000  CAL,  5  Licenses:  US$87. 80/user 

Microsoft  Windows  2000  Server  CAL,  5  Licenses:  US$37.80/user  Of  call  1.800.633.0546 


Copyright  ©2002,  Oracle.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates.  Other  names  may  be  trademarks  of  their  respective  owners. 


From  the  Editor 

lundberg@cio.com 


To  check  in  on  the  New  Rules 
series  of  articles,  go  to 
www.cio.com/newrules. 


New  Rules— 

New  Risks  for  CIOs 


CIOS  TODAY  FIND  THEMSELVES  having  to 
navigate  a  changing  landscape  of  new  legislative 
and  regulatory  directives  that  affect  IT  and  busi¬ 
ness.  Sarbanes-Oxley,  Gramm-Leach-Bliley,  HIPAA 
regulations  and  the  USA  Patriot  Act  all  force  CIOs 
to  reexamine  data  and  customer  privacy  policies, 
security  controls  and  data  accessibility.  In  many 
cases,  they  also  require  significant  new  investments 
in  information  infrastructures  in  order  to  comply. 

To  help  CIOs  through  this  growing  field  of  leg¬ 
islative  land  mines,  CIO  is  launching  a  new  series, 
“Playing  By  New  Rules:  Your  Risks  and  Respon¬ 
sibilities.”  The  first  article  in  the  series,  “What  to 
Do  When  Uncle  Sam  Wants  Your  Data,”  by  Staff 
Writer  Ben  Worthen,  focuses  on  the  implications  of 
the  Patriot  Act — in  particular,  Section  215,  which 
addresses  requirements  for  sharing  data  and 
records  with  federal  agents  involved  in  terror 
investigations. 

Most  conscientious  citizens  are  eager  to  help  the 
government  in  its  fight  against  terrorism.  In  fact,  in 
a  survey  of  almost  800  security  professionals  by 
C/O’ s  sister  publication,  CSO,  41  percent  of  re¬ 
spondents  said  they  were  willing  to  share  informa¬ 
tion  about  their  customers,  employees  or  business 


partners  with  government  or  law  enforcement 
agencies  without  a  court  order  if  they  believed  it 
was  in  the  interest  of  national  security. 

But  that  approach  can  land  you  in  court,  as  the 
safe  harbor  provision  applies  only  to  companies 
that  receive  a  court  order.  Besides,  laws  can  be 
repealed.  But  once  you’ve  broken  trust  with  your 
customers,  do  you  really  expect  to  get  them  back? 

In  a  recent  speech  to  privacy  professionals, 
Richard  Armey,  the  former  Republican  House 
Majority  Leader  from  Texas,  urged  businesses  not  to 
roll  over  to  law  enforcement  when  it  comes  to  cus¬ 
tomer  information.  “Every  bit  of  it  was  given  to  you 
by  someone  who  trusted  you  to  handle  it  responsi¬ 
bly,  on  a  contractual  basis,  explicit  or  otherwise,” 
he  said.  “I  take  it  as  your  responsibility  to  protect 
data  against  the  coercive  intrusions  of  government.” 

To  find  out  how  the  new  antiterrorism  laws  will 
affect  you,  how  to  shield  your  company  from 
potential  litigation  and  bad  publicity,  and  what 
infrastructure  improvements  might  be  required, 
please  turn  to  Page  56. 

The  next  article  in  the  series  will  address  the 
implications  of  the  Sarbanes-Oxley  Act.  Look  for 
it  in  our  May  15th  issue. 
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Special  Advertising  Section 


Paving  the  Way  to  Higher  Returns 

In  a  market  where  competitive  edge  is  measured  in  tiny  increments, 
The  Goodyear  Tire  &  Rubber  Company  set  an 
ambitious  goal:  to  boost  its  productivity  by 
more  than  twice  the  normal  industry  rate. 

The  Bottom  Line: 

A  6%  annual  increase  in  productivity 

Find  out  how  they  did  it  at  enterasys.com/cio/goodyear2 

M 


ENTER  AS  YS 


News  and  Information  from  Enterasys  Networks 


Vol.1,  No.1 


Need  a  Second  Opinion?  Consider  Enterasys 


In  evaluating  the  enterprise  networking  landscape, 
Mark  Fabbi  from  Gartner  suggests  that  CIOs 
should  “competitively  bid  on  major  infrastructure 
upgrades.”  In  fact,  he  estimates  that,  simply  by 
seeking  competitive  bids,  Global  2000  companies 
can  save  at  least  15  percent  on  the  cost  of  these 
upgrades. 

But  price  is  not  the  sole  reason  to  broaden  the 
vendor  evaluation  process.  Fabbi  adds,  “There 
are  a  number  of  viable  alternatives,  and  enterpris¬ 
es  are  encouraged  to  evaluate  their  requirements 
and  not  blindly  follow  market  hype.”  Among  his 
alternatives:  Enterasys  Networks. 

A  PROVEN  ENTERPRISE  LEADER 

To  many  CIOs,  Enterasys  Networks  may  seem 
like  a  new  player  in  the  enterprise  space.  But  in 
fact,  Enterasys  has  been  laser-focused  on  develop¬ 
ing  high-performance,  business-driven  solutions 
specifically  for  the  enterprise  for  more  than  15 
years.  That’s  why  many  of  the  Global  50  entrust 
their  infrastructures  and  IT  strategies  to 
Enterasys. 


“A  return  to  competitive 
bidding  will  save  the  average 
Global  2000  enterprise  at 
least  15  percent ,  representing 
millions  of  dollars...” 

— Mark  Fabbi,  VP,  Gartner  Research 

"Cisco  Price  Premiums:  Best  Practices  Breakdown” 

December  2002 

With  an  award-winning  product  line  and  one  of 
the  most  trusted  service  organizations,  Enterasys 
boasts  a  loyal  customer  base.  Just  ask  IDC. 

SURVEY  SAYS... 

Working  with  IDC — a  leading  provider  of  industry 
analysis  and  market  data — Enterasys  sought  to 
quantify  its  value  proposition,  both  in  terms  of  its 


customers’  revenue  and  productivity  gains,  as  well 
as  their  capital  and  operational  savings.  IDC 
analysts  interviewed  nearly  two  dozen  Enterasys 
customers  across  five  industries,  and  the  results  were 
starding.  Some  companies  realized  a  return  of  more 
than  seven  times  their  original  investment. 

For  the  full  report,  go  to  enterasys.com 

BUSINESS-DRIVEN  NETWORKS™ 

Enterasys  has  galvanized  its  worldwide  efforts 
around  the  concept  of  Business-Driven  Networks, 
the  goal  of  which  is  to  optimize  these  universal 
business  attributes: 

Security.  A  prerequisite  in  the  face  of  mounting 
threats  and  hidden  vulnerabilities,  Enterasys’ 
approach  to  security  is  holistic,  protecting  every 
aspect  of  the  operation,  inside  and  out. 

Productivity.  As  the  competition  grows  fierce,  every 
business  must  put  a  premium  on  productivity  to 
survive  changing  market  conditions.  Enterasys 
infrastructures  make  the  entire  workforce — end 
users  and  IT — more  productive. 


Why  Enterasys? 

•  Broad,  Award-Winning  Product  Line — A 

complete,  end-to-end  portfolio  that  includes 
switching,  routing,  wireless,  VPNs,  intru¬ 
sion  detection  and  network  management. 

•  Enterprise  Focused — Other  vendors  dilute 
their  market  focus;  Enterasys  has  remained 
committed  to  enterprise  customers  for 
more  than  15  years. 

•  Standards-based  Approach — 

Helps  protect  investments  and 
ensure  forward  migration. 


Strength  in  Security — No  vendor  can 
match  Enterasys’  holistic  strategy  in 
which  every  component  is  built  “security 
tough”  to  protect  all  of  your  capital 
assets. 

Price/Performance — Enterasys  consis¬ 
tently  outperforms  other  vendors’ 
products  in  head-to-head  test¬ 
ing,  but  the  real  advantage 
comes  with  the  tangible  gains  in 
productivity  and  ROI. 


Agility.  True  success  comes  from  having  the  ability 
to  outmaneuver  competitors.  Enterasys  customers 
can  leverage  wireless  LANs  and  policy-based 
networking  solutions  to  create  a  user  community 
that  responds  faster  to  business  challenges. 

The  alignment  of  these  principles  enables 
organizations  to  operate  more  efficiently  and 
more  profitably.  Want  to  hear  what  your 
peers  have  to  say?  For  the  full  story,  go  to 

enterasys.com/  secondopinion2. 


ENTERASYS 


NETWORKS 


Managing  desktop  reliability  can  be  challenging. 
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That’s  why  there’s  Windows  XP  and  Office  XP. 
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Recognize  any  of  those  issues?  Or,  perhaps,  all  of  them?  We 
thought  so.  That’s  why  we’ve  made  Microsoft®  Windows®  XP 
Professional  and  Microsoft  ce  XP  Professional  the  most  reliable 
desktop  we’ve  ever  built.  Want  specific  examples?  Windows 


XP  Professional  has  an  average  system  uptime  that  is  10  times  current  document,  spreadsheet,  or  presentation  at  the  time 
better  than  Windows  98  SE,  and  3  times  better  than  Windows  an  application  stops  responding,  so  users  don’t  lose  all  their 

NT  4.0,  so  there  are  fewer  work  stoppage  incidents.  With  work  (and  don’t  call  the  helpdesk  looking  for  it).  Want  more 

AutoRecovery,  Office  XP  Professional  automatically  saves  the  reasons  to  upgrade?  Visit  microsoft.com/desktop 


Data  based  on  eTesting  Labs  Windows  XP  Reliability  Study.  Full  report  available  at:  http:// www.etestinglabs.com/main/reports/msxprety.pdf  ^ 

All  rights  ^served.  Microsoft  ar*d  Windows  are  either  registered  trz^ioarksGr  tjracteirafhs.of  Microsoft  rorpo'auor.  *r*  ti.«?  United 
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Reader  Feedback 


WHAT  WAS  HALAMKA’S  ROLE? 


Wow.  All  I  can  say  regarding  your  cover  story  “All  Systems  Down”  [Feb.  15, 2003]  is  “Duh!”  I 
can’t  believe  your  coverage  of  CareGroup’s  CIO  John  Halamka  makes  him  out  to  be  a  reluctant 
hero.  The  guy  is  a  CIO  for  goodness  sake.  If  anyone  should  know  you  don’t  make  an  octopus  out 
of  an  extension  cord,  it  should  be  him. 

The  real  heroism  he  showed  was  bringing  in  Cisco  with  its  CAP  program.  It  knew  right  off  the 
bat  what  was  happening  there  and  took  appropriate  steps  to  fix  it. 

All  of  it,  however,  seems  to  come  down  to  money.  There  was  plenty  of  money  for  workstation 
cycles,  for  applications  and  so  on,  but  where  was  the  money  for  the  backbone?  A  network  has 
to  be  considered  as  a  whole,  from  its  patch  panels  all  the  way  to  its  workstations  and  every¬ 
thing  in-between. 

This  CIO’s  IT  staff  also  bears  some  of  the  blame.  I’ll  bet  anything  people  there  knew  about 
these  issues  for  a  long  time  but  never  pushed  hard  enough  to  get  them  resolved.  Again,  it  all 
seems  to  come  down  to  money. 


Funny  how  there  was  no  expense 
spared  in  calling  Cisco  and  installing  the 
appropriate  gear  once  things  went  down. 
IT  management  is  always  like  that — you 
can’t  budget  for  upgrades,  but  you  can 
sure  pour  money  on  a  burning  fire. 

This  is  my  personal  opinion  only,  and 
does  not  reflect  the  views  of  KPMG  in 


any  way. 


Michael  L.  Mansfield 
KPMG 


work.  At  an  institution  that ,  around  the 
time  of  the  network  outage,  reported  a 
$26  million  loss  as  phenomenally  posi¬ 
tive  news,  there  was  never  enough 
money  for  any  element  of  IT,  includ¬ 
ing  staffing,  another  culprit  in  Mans¬ 
field’s  estimation. 

He  also  credits  Cisco  and  the 
CAP  program.  But  as  many 
other  readers  pointed  out,  the  vendors 
and  integrators  never  seem  to  have  raised 
red  flags  when  they  were  selling  Halamka 
hardware  and  services  along  the  way, 
even  though  they  would  have  immedi¬ 
ately  recognized  a  1996  architecture  as 
outmoded  and,  ultimately,  dangerous. 

In  fact,  Mansfield  seems  to  be  look¬ 
ing  for  heroes  and  villains,  and  I  believe 
one  of  the  most  compelling  elements  of 
the  story  is  that  there  are  neither.  Just  a 
lot  of  human  beings. 


mmansfield@kpmg.  com 

Senior  Editor  Scott  Berinato  responds: 
Michael  Mansfield  is  correct  on  one 
count:  “It  all  comes  down  to  money.  ” 
But  he  incorrectly  supposes  money 
abounded  for  everything  but  the  net- 


I  found  your  article  very  interesting.  But 
it  does  leave  some  lingering  questions. 
The  seven  hops  in  networking  to  prevent 
data  from  losing  its  way  is  a  very  ele¬ 
mentary  requirement.  I  have  a  difficult 
time  believing  that  someone  from  the 


technical  group  did  not  know  and  could 
not  identify  this  problem  right  away. 

How  was  the  communication  within 
the  IT  department? 

How  well-liked  was  John  Halamka 
within  the  IT  department? 

How  open  was  Halamka  to  human 
communication  before  the  shutdown? 

The  article  stated  that  Halamka  was  an 
emergency  room  physician.  That  hardly 
qualifies  him  as  a  CIO.  How  much  did  he 
know  about  IT  before  the  shutdown? 

I  wonder  if  the  shutdown  has  its  root 
cause  in  poor  human  communication. 

Harold  W.  Niekamp 
Beacon  Technology  Solutions 

Berinato  responds:  Harold  Niekamp’s 
questions  focus  on  internal  forces  caus¬ 
ing  Beth  Israel  Deaconess’s  shutdown — 
specifically  a  lack  of  communication 
and  a  lack  of  deep  IT  knowledge.  I  don’t 
believe  either  of  those  factors  were  at 
the  root  of  the  crisis.  Halamka  is  well- 
regarded  for  both  his  IT  knowledge  and 
his  communication  skills.  The  piece 
instead  focused  on  external  cultural  fac¬ 
tors  contributing  to  the  problem.  A  cul¬ 
ture  of  merging  networks  on  shoestring 
budgets,  and  also  a  culture  of  focusing 
on  next-generation  health-care  IT  appli¬ 
cations,  while  the  “utility”  aspect  of  tech¬ 
nology  was  treated  just  that  way — as  a 
utility  you  run  and  don’t  think  about. 

BEST  PRACTICES: 

GOOD  AND  BAD 

If  Michael  Schrage’s  gloomy  if  generally 
accurate  assessment  of  the  state  of  best 
practices  in  IT  (“Worst  Practice,”  Feb.  15, 
2003)  has  a  fault,  it’s  that  it  lets  CIOs  off 
the  hook  far  too  easily.  Especially  the 
appallingly  high  number  of  them  who, 
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Programmers  are  a  phone  call  away. 


To  keep  your  business  competitive,  you  need  the  right  IT  talent  at  just  the  right  time. 

With  more  than  100  locations  worldwide,  Robert  Half  Technology  is  a  leading  provider  of: 

•  Programmers  •  Network  Administrators 

•  Help  Desk  Professionals  •  Database  Administrators 

•  Web  Developers  •  And  other  Technology  Professionals 

•  Network  Security  Engineers 

With  our  exceptional  connections  to  the  best  technology  talent  available,  we’ll  do  more  than  provide 
cost-effective  solutions  to  your  needs  -  well  do  it  exactly  when  you  need  it. 


Call  today! 


800.793.5533 

roberthalftechnology.com 


Information  Technology  Professionals SM 


ROBERT  HALF  * 

TECHNOLOGY 


©  Robert  Half  Technology.  EOE 


A  Robert  Half  International  Company 


WatchIT's  focus  is  to  Drive  IT  and  Business  Literacy  throughout  corporations. 

We  are  the  leading  provider  of  rich  media  technology  briefings  for  IT  and 
business  professionals.  WatchIT  was  founded  in  order  to  address  a  need  that 
every  organization  has;  the  need  to  leverage  expert  knowledge,  experience, 
and  advice  that  enables  people  to  understand,  implement,  and  optimize 
technologies  to  meet  business  objectives.  Our  mission  is  to  give  organizations 
the  ability  to  share  and  leverage  expert  knowledge  and  advice  from  industry 
peers  and  opinion  leaders.  To  accomplish  that  mission,  we  have  developed  a 
learning  environment  that  consists  of  an  advanced  learning  theory,  a  rigorous 
production  methodology,  and  a  state-of-the-art  delivery  platform. 

WatchIT  Technology  Briefings  have  thousands  of  subscribers  in  over  one  hundred 
IT  organizations  worldwide. 


To  learn  more  about  WatchIT  please  visit  our  website  at  www.watchit.com 
v  or  contact  us  at  customerservice@watchit.com. 


watchIT' 

Delivering  Experience  to  the  Desktop 


6851  Jericho  Turnpike 
Syosset,  NY  11791 
Tel  51 6  393  5700  Fax  51 6  393  5799 
www.watchit.com 


©2003  WatchlT.com™  All  Rights  Reserved 
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either  through  inexperience  or  intellec¬ 
tual  laziness,  do  not  distinguish  between 
the  simplistic  best  practices  of  water- 
cooler  anecdotes,  focus  groups  and  advice 
columns  and  those  that  are  the  out¬ 
growth  of  empirically  derived,  method¬ 
ologically  rigorous  research. 

CIOs  should  recognize  that  best  prac¬ 
tices  are  rarely  simple;  more  often  they 
are  multidimensional  and  interdependent, 
and  thus  take  both  time  and  consistent 
application  in  order  for  their  full  value  to 
be  realized.  In  a  decade  of  research,  we 
have  found  that  the  strongest  predictor 
of  a  company’s  ability  to  capture  the  ben¬ 
efits  of  best  practices  is  its  level  of  com¬ 
mitment  to  addressing  the  need  for 
sustained  change  across  all  dimensions  of 
the  IT  function — people,  processes,  and 
the  information  IT  generates  and  uses  in 
the  way  it  goes  about  selecting,  deploying 
and  managing  technology  itself. 


The  fact  that  the  companies  identified 
by  my  company’s  research  methodology 
vary  widely  in  size,  industry  and  oper¬ 
ating  model  validates  the  long-held 
assertion  that  bona  fide  best  practices 
are  replicable  and  universally  valid. 
Nowhere  is  this  more  true  than  in  the 
IT  function,  where  the  combination  of 
rapidly  declining  costs  for  almost  all 
types  of  technologies,  increasing  power 
and  improved  functionality  allows  even 
the  smallest  organizations  to  leverage 
best  practices  that  were  once  only  avail¬ 
able  to  the  largest  organizations. 

Bruce  Barlag 
President,  The  Hackett  Group 
bbarlag@tbebackettgroup.com 

One  example  of  the  problem  with  best 
practices  concerns  a  major  retail  chain 
that  developed  a  “best  practices”  approach 
to  opening  new  stores.  It  applied  this 


methodology  to  a  new  store  in  Latin 
America,  down  to  the  specifications  for 
electrical  systems,  only  to  find  the  sys¬ 
tems  run  on  a  different  voltage  than  the 
U.S.-made  systems. 

Along  with  best  practices,  one  should 
also  be  cautious  with  benchmarks, 
another  popular  KM  concept.  It  may  be 
useful  to  know  current  industry  norms, 
but  it  may  be  dangerous  to  make  deci¬ 
sions  based  solely  on  them. 

Karen  Vagts 
Arlington,  Mass. 

WHAT  DO  YOU  THINK? 

Send  your  thoughts  and  feedback 
to  letters@cio.com.  Letters  may  be 
edited  for  length  or  clarity.  For  links 
to  all  articles  mentioned,  go  to 
www.  cio.  com/printlmks. 


Two  Great  Institutions,  One  Powerful  Project  Management  Program. 
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NYU's  School  of  Continuing  and  Professional  Studies  and  International  Institute  for  Learning,  Inc.  (IIL)  are  proud 
to  announce  their  collaboration  in  offering  the  respected  Project  Management  Certificate  Program:  The  Kerzner 
Approach1  to  Project  Management  Excellence. 

The  aim  of  the  NYU/IIL  program  is  to  promote  increased  organizational  maturity  in  project  management,  while 
providing  individuals  and  small  work  groups  with  the  skills  and  concepts  they  need  to  consistently  succeed  in 
their  projects. 

Offered  either  online  or  on-site,  the  program  is  highly  regarded  and  aligned  with  the  internationally  recognized 
Guide  to  the  Project  Management  Body  of  Knowledge  (PMBOK"  Guide)  of  the  Project  Management  Institute". 
Students  who  successfully  complete  this  program  and  fulfill  the  requirements  of  the  Project  Management 
Institute  are  then  qualified  to  take  the  rigorous  Project  Management  Professional  (PMP")  Exam,  which  leads  to 
industry-recognized  professional  certification. 

Only  through  the  NYU/IIL  collaboration  will  students,  upon  course  completion,  receive  an  NYU  transcript,  a  letter 
grade,  and  a  Certificate  of  Completion. 

Call  today  to  find  out  how  a  Project  Management  Certificate  will  enhance  your  career  with  highly  regarded 
industry  credentials. 


VSF 
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INTERNATIONAL 

Institute  for  Learning,  Inc. 
www.iil.com 


YewYork 

INIVERSnY 

.V.*.  reivAtf  isivtiem  ia  nnitauc  sauna 

School  of  Continuing  and 
Professional  Studies 


For  more  information 


Phone:1-800-325-1533 


Website:  www.scps.nyu.edu/pm-iil 
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BENCHMARKED 
YOUR  WEB  SITE 

NOW  LET  US  TEST 
YOUR  E-BUSINESS 
PERFORMANCE 


HOW  DO  YOU  IMPROVE  YOUR 
E-BUSINESS  EFFECTIVENESS? 

When  you  test  Web  performance,  what  you  really 
want  to  know  is  how  the  Web  is  affecting  your  bot¬ 
tom  line.That's  where  Keynote  Systems  can  help. 

At  Keynote,  we  know  something  about  performance. 
We  have  been  benchmarking  the  world's  leading 
Web  sites  for  nearly  a  decade.  All  that  expertise  goes 
into  Keynote's  performance  testing  services  to  help 
you  measure  the  effectiveness  of  your  e-business. 

Keynote  offers  services  to  help  you  test  every  aspect 
of  your  e-business,  including  scalability,  capacity,  user 
experience,  and  content  integrity.  Our  performance 
testing  services  give  you  a  360-degree  perspective 
of  your  e-business  effectiveness. 

It's  the  least  you  can  expect  from 
the  Internet  Performance  Authority®. 

To  find  out  how  Keynote  testing  services  can 
improve  performance,  save  you  money,  and 
increase  your  e-business  effectiveness,  call 
1 -800-KEYNOTE  (800-539-6683),  or  go  to 
www.keynote.com/cio 


IMPROVING  THE  QUALITY  OF  E-BUSINESS  WORLDWIDE. 


©  2002  Keynote  Systems,  Inc.  Keynote  and  the  Keynote  logo  are  registered  trademarks  of  Keynote  Systems,  Inc.  All  rights  reserved. 


Case  Study:  NeoGenesis  Harnesses  Multiple  Terabytes 

Front-end  versus  back-end  tradeoff  yields  cost-effective  implementation 


BlueArc  Si7500  SiliconServer 
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Tomas  Revesz ,  Director, 
Information  Systems,  NeoGenesis 
Pharmaceuticals,  Inc.,  continues  to 
face  a  vexing  and  pcrsistait  problem: 
how  to  manage  the  vast  and  growing 
amounts  of  data  generated  by  company 
processes  used  to  automate  drug  diS' 
covety.  Over  the  years,  Mr  Revesz  has 
examined  many  “ solutions ”  capable  of 
addressing  the  storage  part  of  his  prob - 
lem,  but  ultimately  incapable  of  meet' 
ing  his  application  need:  the  cost  effec' 
tive  and  high'performance  trafficking 
of  terabytes  of  online  data  over  a  scab 
able  network,  making  that  data  avaiT 
able  where  and  when  needed.  A  first' 
person  account  follows. 

The  Company 

NeoGenesis  Pharmaceuticals, 
Inc.  is  a  lead-phase  drug  discos 
ery  company.  Its  technologies 
accelerate  the  initial  stage  of 
finding  candidates  for  drug  dis- 
covery. 

The  Cambridge,  Mass.,  com' 
pany  was  founded  in  1997.  Its 
core  technology,  the  Automated 
Ligand  Identification  System 
(ALIS),  is  a  scalable  system  for 
rapidly  screening  disease'assocb 
ated  targets.  Coupled  with  our 
NeoMorph  compound  library  of 


more  than  10  million  medicinally 
relevant  small  molecules,  ALIS 
identifies  ligands  exhibiting 
high  affinity  and  high  selectivity 
against  many  protein  classes.  By 
identifying  biologically  active 
ligands,  our  technologies  simuL 
taneously  validate  a  disease- 
associated  protein  as  a  useful 
drug  target  and  deliver  small 
molecule  drug  leads. 

The  Problem 

Our  drug  discovery  approach 
attempts  to  industrialize  and 
automate  a  manually  labor- 
intensive  process.  The  product 
of  this  automation  is  a  tremen¬ 
dous  amount  of  data  acquired  by 
analytical  and  chemistry-moni¬ 
toring  screening  instruments. 
Each  screening  line  produces  5 
to  20  gigabytes  of  data  per  day. 
The  lines  run  24  hours  a  day,  7 
days  a  week,  and  generate 
upwards  of  2  terabytes  per 
month,  which  must  remain 
available  online  to  researchers 
for  three  months. 

The  requirement  for  our  data 
storage  system  is  to  make  this 
great  deal  of  storage  available 
over  the  network  to  a  cluster  of 
machines  running  analysis  soft¬ 
ware.  Scalability  is  the  biggest 
challenge.  The  second  challenge 


is  management  of  the  data. 

In  choosing  a  storage  technol¬ 
ogy,  we  needed  a  solution  that 
would  be  both  cost-effective 
and  highly  scalable  on  the  back¬ 
end.  We  wanted  to  be  able  to 
scale  our  front-end  screening 
operation  without  incurring 
tremendous  equipment  expen¬ 
ditures  and  management  costs 
for  underlying  storage  infra¬ 
structure. 

The  Process 

We  evaluated  a  storage  area 
network  (SAN)  system  vs.  a  net¬ 
work-attached  storage  (NAS) 
device.  We  chose  NAS  because 
local  I/O  requirements  are  rela¬ 
tively  small.  The  analysis  soft¬ 
ware  runs  on  a  cluster  of  Linux 
machines  that  access  data  over 
the  network.  Using  a  SAN 
approach  would  complicate  the 
front  end  of  the  storage  system 
by  requiring  a  regular  operating 
system  for  clustering  and  an 
expensive  and  complicated  front 
end  to  serve  data  over  a  network. 

Because  we  don’t  have  the 
local  I/O  needs  that  SAN  pro¬ 
vides,  NAS  makes  more  sense  and 
is  easier  to  manage  and  maintain. 
We  simply  plug  it  into  our  net¬ 
work  and  the  data  comes  on  and 
off  to  the  places  that  need  it. 

Having  chosen  NAS,  we  did 
our  market  research  to  find  solu¬ 
tions.  We  examined  both  tradi¬ 
tional  and  novel  approaches  to 
storing  data,  in  particular,  stor¬ 


age  that’s  easy  to  manage  and  to 
make  available  over  a  network. 
We  studied  the  offerings  of  the 
big  players,  including  EMC  and 
Network  Appliance,  as  well  as 
those  from  smaller  companies. 

We  also  solicited  opinions 
from  organizations  that  had 
implemented  a  NAS  solution. 
Some  of  the  larger  storage  manu¬ 
facturers  have  good  reputations. 
Others,  I  found,  had  products 
that  did  not  live  up  to  specifica¬ 
tions.  Newer  products  have  to  be 
checked  to  ensure  they  meet 
these  stated  statistics. 

I  also  spoke  with  BlueArc 
customers.  However,  we  needed 
to  make  sure  that  the  BlueArc 
solution  could  perform  up  to 
specification.  We  requested  an 
onsite  demo  unit  for  testing. 
BlueArc  was  accommodating — 
we  were  able  to  get  a  test  system 
in-house  to  make  sure  it  per¬ 
formed  as  advertised. 

Details 

Storage  technologies  have 
evolved  since  we  began  our 
screening  system  in  the  late 
1990s,  nearly  keeping  pace  with 
our  requirements  over  time. 
When  we  first  started,  output 
was  relatively  small  compared  to 
what  it  is  now. 

But  as  the  amount  of  data 
produced  by  our  screening  lines 
has  grown,  so  have  the  demands 
on  our  storage  system.  My 
requirements  for  a  storage  sys- 


Why  BlueArc? 

BlueArc™  Corporation,  a  leader  in  high  performance,  highly  scala¬ 
ble  network  attached  storage  (NAS),  has  created  a  SiliconServer 
Architecture  that  delivers  the  world's  only  file  server  designed  to 
scale  beyond  today's  1  Gbps  networks  toward  tomorrow's  10  Gbps 
networks.  BlueArc's  SiliconServer  Architecture  moves  software  into 
programmable  hardware  and  removes  the  bottlenecks  that  limit 
performance  in  other  NAS  systems  on  the  market  today. 
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tern  and  platform  for  handling 
our  back' end  storage  needs  were 
primarily  scalability  and  ease  of 
management.  Performance  is  a 
factor  but  not  the  most  impor' 
tant  because,  in  this  application, 
data  throughput  over  the  net' 
work  connection  is  thin— it’s 
very  light  over  time.  It  gets  big' 
ger  as  our  front' end  instrument 
line  is  scaled,  as  we  add  systems 
that  are  producing  the  data.  So 
the  more  the  front  end  of  our 
storage  system  can  handle,  the 


more  we  can  scale  our  instru' 
ments  and  our  screening  sys- 
terns  without  requiring  an  addi' 
tional  head' end. 

I  was  looking  for  a  solution 
with  a  single  point  of  manage' 
ment — a  single  head' end  to  the 
storage  system — and  a  highly 
scalable  back  end.  Such  a  system 
promised  to  eliminate  the  pain 
and  complexity  of  maintaining  a 
large  amount  of  online  data. 

The  Solution 

After  completing  in'house 
testing  and  validation, 
NeoGenesis  purchased  the 
BlueArc  Si7500  SiliconServer,  a 
wire'speed  network'attached 
fixed  storage  solution  with  2 
terabytes  of  raw  disk  space. 

We’ve  used  the  BlueArc  solu' 
tion  side'by'side  with  storage 
solutions  from  other  vendors. 
With  BlueArc  as  our  most 


recent  purchase,  my  intention  is 
to  stick  with  it  to  handle  expan' 
sion,  in  time  replacing  the 
devices  we’ve  purchased  from 
other  vendors. 

The  BlueArc  approach  is 
unique  in  that  it  is  designed  to 
do  a  specific  job:  to  serve  data 
over  a  network  at  high  rates  and 
in  high  volumes.  This  hardware' 
based  solution  eliminates  what 
is  crippling  for  some  of  the  com' 
petitors:  software  dependency 
of  front' ends,  based  on  a  PC 


architecture.  Whether  it’s  run' 
ning  a  traditional  or  embedded 
OS,  the  PC  architecture  is  ill 
suited  to  handling  large 
amounts  of  back' end  and  front' 
end  throughput  at  the  same 
time.  The  BlueArc  solution  is 
designed  to  do  this  and  has  per' 
formed  extremely  well. 

Moreover,  most  similarly 
priced  products  provide  a  maxi' 
mum  of  4  to  8  terabytes.  The 
BlueArc  solution  has  a  much 
higher  back'end  limit:  228  ter' 
abytes.  It  can  do  what  we  need 
at  a  lower  cost.  While  there  are 
other  solutions  that  can  accom- 
modate  our  needs,  we  found 
that  BlueArc’s  SiliconServer 
provides  the  scalability  and  per' 
formance  for  less  money,  and  on 
a  single  system. 

With  the  ability  to  manage 
greater  amounts  of  storage  with' 
in  one  system,  BlueArc  gives  us 


the  means  to  add  analytical  and 
screening  systems — increasing 
company  productivity — with' 
out  having  to  purchase  addition' 
al  servers  or  increase  storage 
administrative  staff. 

Implementation 

The  BlueArc  solution  was 
easy  to  install.  Installation  was  a 
matter  of  placing  the  hardware 
in  a  rack,  attaching  it  to  our  net' 
work,  and  getting  it  up  and  run' 
ning  through  a  web  interface.  It 
took  only  a  couple  of  hours  to 
get  the  system  running  and 
plugged  into  our  network,  and 
it’s  run  flawlessly  ever  since. 

Our  screening  system  staff 
started  using  it  the  moment  the 
system  went  live.  We  were 
offered  but  required  no  training. 
In  fact,  NeoGenesis  has  used 
BlueArc’s  tech  support  assis' 
tance  only  to  apply  software 
updates  and  for  routine  mainte' 
nance.  Several  power'related 
events  in  our  building  have  trig' 
gered  alerts  from  the  system  and 
I’ve  been  impressed  by  the  reac' 
tion  time — I  immediately  get  a 
call  from  tech  support  when 
they  see  something  going  wrong. 

Business  Benefit 

We  now  have  a  single,  sc  ala- 
ble  storage  system.  This  system 
will  allow  us  to  expand  our 
screening  capacity  and  our 
research  capacity  without 
increasing  the  management 
costs  or  resources  required  to 
maintain  a  scalable  back'end 
storage  system. 

Theoretically,  we  will  max 
out  the  front  end  of  this  solution 
before  we  reach  its  228'terabyte 
back'end  limit,  but  we  will  still 


"...we'll  see  a  tremendous  ROI  from  storage-only 
purchases  over  time.  In  this  year  alone ,  we  expect  to 
save  more  than  $100,000  in  costs  associated  with  the 
purchase  of  additional  servers." 


reach  a  back-end  limit  far 
greater  than  that  of  competing 
products.  So  this  architecture 
saves  us  money:  we  buy  and 
maintain  fewer  front-end  units 
while  scaling  the  storage  on  the 
back  end  to  10,  20,  even  50  ter- 
abytes  before  buying  another 
head-end  unit. 

Just  as  importantly,  the  ease 
of  management  of  the  BlueArc 
solution  has  reduced  the  amount 
of  administration  required  with 
our  previous  systems. 

Financial  Impact 

We  expect  the  most  substan- 
tial  ROI  to  come  when  we  pur- 
chase  additional  disk  capacity. 
The  scalability  of  the  back-end 
system,  combined  with  the  con¬ 
stantly  falling  price  of  disks, 
means  that  we  wall  incur  mini¬ 
mal  expense  to  scale  the  BlueArc 
solution  and  will  not  incur  the 
expense  of  an  additional  control 
unit. 

Without  these  additional  up¬ 
front  costs,  we’ll  see  a  tremen¬ 
dous  ROI  from  storage-only  pur¬ 
chases  over  time.  In  this  year 
alone,  we  expect  to  save  more 
than  $100,000  in  costs  associat¬ 
ed  with  the  purchase  of  addi¬ 
tional  servers. 


To  schedule  an  appointment  with 
BlueArc  to  discuss  your  organiza¬ 
tion’s  2003  storage  plans,  or  to 
learn  more  about  how  BlueArc's 
network  attached  storage  prod¬ 
ucts  and  services  can  save  your 
business  time  and  money,  please 
visit  www.bluearc.com/cio 
or  call  1-866-864-1030 

BLUE-ARC. 


E-COMMERCE 

Coming  to  a  State  Near  You: 
Internet  Sales  Taxes 


IN  FEBRUARY,  three  major  retailers  took  a 
giant — and  controversial — step  toward  inte¬ 
grating  their  online  and  brick-and-mortar 
stores.  Target,  Toys  “R”  Us  and  Wal-Mart 
announced  that  they  would  begin  levying  a 
sales  tax  for  online  purchases. 

They’re  not  the  first.  Circuit  City  and 
Sears,  for  example,  already  have  uniform  tax 


collection  and  remittance  procedures  across 
their  two  sales  channels  and  have  made  sig¬ 
nificant  inroads  in  integrating  their  online 
and  physical  stores.  The  recent  move  by 
those  three  retailers  comes  when  many  states, 
suffering  from  the  worst  budget  crisis  in 
years,  are  working  to  streamline  sales  tax 
collection — an  effort  that  could  lead  states 
to  pass  legislation  that  would 
force  Internet  retailers  and  cat¬ 
aloguers  to  start  charging  sales 
tax  regardless  of  where  they  do 
business.  (Massachusetts  isn’t 
waiting;  it  started  this  year  ask¬ 
ing  tax  filers  to  account  for 
out-of-state  purchases.) 

Before  Feb.  1 ,  WalMart.com, 
Target.com  and  ToysRUs.com 
charged  sales  tax  only  for 
goods  bought  online  in  states 
where  they  had  what’s  called 
“nexus, ”or  a  physical  presence 
such  as  a  retail  store,  dis¬ 
tribution  center  or  call  center. 
This  practice  followed  a  1992 
Supreme  Court  ruling  on  states’ 
rights  to  charge  a  sales  tax. 

It  turns  out  that  for  the 
national  chains,  this  is  more 
than  a  tax  issue.  There’s  a  cus- 


E-Returns  Growing  The  IRS  began  accepting 

electronically  filed  tax  returns  in  1986.  Since  that  limited 
test  (25,000  individual  returns),  Net-based  returns  have 
ramped  up  to  a  projected  54  million  this  year. 


60  80 

MILLIONS 

I  Individual  returns  e-filed  ■  Total  individual  returns  filed 
source:  internal  revenue  service 


tomer  service  component  (shoppers  like 
being  able  to  return  online  purchases  to  a 
local  store)  and  a  systems  integration  chal¬ 
lenge  (it  takes  some  doing  to  calculate  sales 
taxes  across  state  and  local  jurisdictions). 
Charging  sales  tax  in  some  states  but  not  in 
others  has  made  it  impossible  for  Target, 
Toys  “R”  Us  and  Wal-Mart  customers  to 
drive  to  a  local  store  to  return  items  they 
ordered  online  because  the  tax-free  totals  on 
their  online  sales  receipts  didn’t  equal  the 
taxed  totals  tallied  by  store  clerks,  accord¬ 
ing  to  Kate  Delhagen,  a  Forrester  Research 
analyst.  “Those  guys  were  getting  a  little  frus¬ 
trated  from  hearing  from  their  consumers, 
‘Why  can’t  we  return  this  stuff  to  any 
store?”’  she  says. 

When  Target,  Toys  “R”  Us  and  Wal-Mart 
established  their  Internet  operations,  they 
spun  them  off  as  entities  “separate  from  the 
mothership”  so  that  they  didn’t  have  to 
charge  or  collect  taxes  in  the  states  where 
their  physical  stores  existed,  says  Delhagen. 
“Now,  they’re  in  the  process  of  undoing  the 
dotcom  spinout,”  she  says.  And  retailers  such 
as  Circuit  City  and  Sears  that  kept  their  Inter¬ 
net  stores  under  the  watchful  eye  of  corporate 
headquarters  are  a  step  ahead,  she  adds. 

The  march  by  brick-and-click  chains  to 
assess  taxes  for  online  purchases  would  put 
pure  e-tailers  such  as  Amazon.com  on  the 
same  playing  field,  of  course.  (Though  even 
Amazon.com  charges  sales  tax  in  Washing¬ 
ton  state  and  North  Dakota,  where  it  has 
some  operations.) 

Continued  on  Page  28 
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New  York  Institute  of  Technology’s  fiber  optic  network  is 
one  of  the  fastest  on  the  East  Coast.  To  make  the  most  of  it, 
NYIT  graduated  to  Xerox  multi-function  technology. 

There’s  a  new  way  to  look  at  it. 


Learn  more:  www.xerox.com/learn  For  a  sales  rep:  1-800-ASK-XEROX  ext.  LEARN 
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Internet  Sales  Taxes 


Continued  from  Page  26 


Since  the  Streamlined  Sales  Tax  Project 
began  in  2000,  39  states  and  the  District 
of  Columbia  have  joined  to  simplify  their 
complicated  sales  tax  laws  and  collection 
procedures.  One  of  the  project’s  proposals 
is  to  fix  loopholes  where  remote  sellers 
aren’t  required  to  collect  sales  taxes. 

And  there’s  money  in  those  clicks.  A 
University  of  Tennessee  study  shows  that 


states  will  miss  out  on  $440  billion  worth 
of  revenue  from  remote  sales  between 
2001  and  2011.  The  issue  of  collecting 
taxes  on  online  purchases  had  been  under 


a  moratorium  since  2001,  but  that  is 


scheduled  to  be  lifted  in  November,  which 
will  likely  renew  public  debate  over  the 
issue.  “We  have  long  been  supportive  of 
streamlining  and  simplifying  the  sales  tax 


system,”  says  Cynthia  Lin,  a  spokeswoman 
for  WalMart.com.  “It’s  also  our  belief  that 
all  retailers  should  be  required  to  collect 
sales  tax  for  all  sales.” 

That  sentiment  is  music  to  governors’ 
ears  around  the  nation,  whose  association  is 
lobbying  Congress  to  pass  a  bill  that  lets 
states  adopt  Internet  sales  taxes.  Stay  tuned. 

-Meriditb  Levinson 
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Best  Practices  Pulled  from  a  Crisis 


AS  PROSECUTORS  AND  DEFENDANTS  prepare  for  trials  this 
fall  of  two  men  accused  in  the  Washington,  D.C.-area  sniper 
attacks,  government  IT  managers  like  Michael  Knuppel  are 
using  their  work  during  that  crisis  to  prepare  for  the  next  one. 

To  Knuppel,  CTO  in  the  Department  of  Technology  Services 
(DTS)  in  Montgomery  County,  Md.,  where  the  first  five  shootings 
took  place  last  fall,  preparedness  means  drawing  on  the  best 
practices  learned  during  last  year’s  events.  Knuppel,  who  reports 
to  county  CIO  Alisoun  Moore,  and  his  140-member  IT  team 
supported  Montgomery  County  Police  Department  Chief  Charles 
Moose,  the  FBI  and  the  Bureau  of  Alcohol,  Tobacco,  Firearms  and 
Explosives  during  the  first  days  of  the  sniper  shootings. 

Montgomery  County’s  IT  plans  emphasize  four  areas 
suitable  for  fast  response: 


1.  COMPUTERS:  Make  extra  PCs  available.  Knuppel  says 
it’s  important  to  warehouse  or  work  with  a  vendor  that  can 
quickly  deploy  many  PCs  (DTS  installed  100  extra  desktops  by 
the  second  day).  Also  key  is  instituting  a  desktop  management 
system  that  relies  upon  standard  configurations  and  PC 
imaging  that  can  load  and  launch  computers  fast. 

2.  CALL  CENTERS:  Expand  telephone  capacity  and 
assign  operators.  Montgomery  County  needed  50  lines  to 
field  incoming  tips.  Knuppel  says  it’s  vital  to  work  with  a  tele¬ 
com  carrier  to  set  up  a  single  telephone  number,  preferably 
toll-free,  that  can  act  as  a  centralized  calling  point  for  tips  from 
many  geographic  regions  (and  keep  callers  off  911  lines). 
Identifying  qualified  people  to  answer  tip  lines  and  providing 
the  workers  with  an  easy-to-follow  training  system  is  another 
must  (Montgomery  County  used  police  officers).  Also  required: 
24/7  technical  support. 

3.  RADIO  COMMUNICATION:  Get  different  law  enforce¬ 
ment  agencies  talking.  In  a  crisis  it’s  vital  to  ensure  that  your 
radio  dispatch  center  is  able  to  provide  patch  connections 
between  various  frequency  bands  so  that  officials  from  different 
organizations  can  communicate,  Knuppel  says.  Other  lessons: 

Be  able  to  quickly  hand  out  auxiliary  radios  and  accessories  to 
task  force  members;  document  the  value  of  issued  equipment: 
and  prepare  for  a  30  percent  to  40  percent  loss  of  equipment— 
particularly  accessories— due  to  carelessness. 

4.  GEOGRAPHIC  INFORMATION  SYSTEMS:  Provide  police 
with  base  maps.  The  DTS’s  GIS  team  gave  police  maps  that 
showed  both  victims’  locations  and  potential  sniper  whereabouts, 
Knuppel  says.  The  team  maintains  an  up-to-date  street  database 
that  shows  current  municipal  boundaries,  shopping  centers, 
schools  and  other  locations,  and  helps  police  determine  how  best 
to  set  up  roadblocks  around  major  highway  artery  access  points. 

Knuppel’s  team  earned  respect  from  Montgomery  County 
police,  says  Tom  Didone,  who  was  acting  assistant  police  chief 
during  the  sniper  crisis.  “Every  resource  I  needed,  I  got.  Just 
like  that— no  red  tape,”  Didone  says.  “They  acted  as  a  full  and 
equal  partner  from  the  outset  until  the  end.”  -Tracy  Mayor 
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...  Bugbear...  Klez... 
Nimda. . .  hmmm. . .  nope. 
Don't  see  'im  on 
the  list. 


Okey-dokey. 

Sir,  you  can 
come  on  in! 
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SECURING  THE  GLOBAL  VILLAGE 


eAladdin.com 


Any  anti-virus  solution  can 
stop  a  known  threat. 

What  about  the  unknown? 

Upgrade  your  Gateway  and  Mail  server 
security  to  a  'smarter'  level  of  protection 
with  eSafe®.  eSafe  is  the  new,  proactive 
solution  that  scans  and  blocks  malicious 
"unknowns"  before  they  enter  your  network — 
before  they  show  up  on  anyone's  signature 
update  list.  The  result?  Tighter  security  with 
more  network  uptime  and  productivity. 

eSafe  enables: 

■  Strong,  around-the-clock  protection 
against  new  and  existing  viruses,  worms, 
spam,  and  hostile  email  attachments. 

■  High-speed  scanning  of  all  HTTP  and  FTP 
traffic,  closing  a  significant  security  hole 
for  large  organizations. 

■  Proactive  protection  against  known,  but 
unpatched,  security  exploits. 

Today,  the  average  cost  of  a  successful 
virus  attack  to  a  business  is  $283,000*. 

Be  proactive  and  show  unknown  nasties 
the  door.  Move  up  to  the  award-winning 
protection  of  eSafe. 

Try  It.  Win  It.  Test-drive  eSafe  Gateway  or 
eSafe  Mail  and  you  could  win  up  to  a  5,000- 
user  license  for  one  year— a  $70,000  value! 
Go  to  eSafe.com,  call  us  at  1-800-562-2543, 
or  email  us  at  eSafe.us@eAladdin.com  for 
more  information. 
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North  America:  1-800-562-2543,  847-818-3800  or  eSafe.us@eAladdin.com  International:  +972-3-636-2313  or  eSafe.il@eAladdin.com 
Germany:  eSafe.de@eAladdin.com  UK:  eSafe.uk@eAladdin.com  France:  info@Aladdin.fr  Benelux:  eSafe.nl@eAladdin.com 

*2002  CSI/FBI  Computer  Crime  and  Security  Survey 


« 

>  „ 


©2003  Aladdin  Knowledge  Systems,  Ltd.  eSafe  is  a  registered  trademark*of  Aladdin  Knowledge  Systems,  Ltd. 


trendlines 


Off  the  Shelf 


Edited  by  Carol  Zarrow 


Going  with  the  Flow 

Good  Business:  Leadership,  Flow, 
and  the  Making  of  Meaning 

By  Mihaly  Csikszentmihalyi 
Viking,  2003,  $24.95 

MIHALY  CSIKSZENTMIHALYI  is  best  known 
for  his  1991  book,  Flow:  The  Psychology  of 
Optimal  Experience.  In  it  he  describes  what 
he  calls  flow,  a  state  of  intense  concentra¬ 
tion  that  people  enter  when  they  lose  them¬ 
selves  in  an  activity.  He  argues  that  when 
people  attain  flow,  they  are  most  effective 
and  productive. 

In  Good  Business ,  Csikszentmihalyi 
(pronounced  “chick-sent-me-high”)  applies 
this  concept  to  the  workplace.  It  is  possible 
for  people  to  attain  flow  during  even  the 
most  menial  tasks,  he  says.  It  therefore 


behooves  corporate  leaders  to  cultivate  an 
environment  in  which  employees  can  fre¬ 
quently  achieve  a  state  of  flow.  The  result, 
he  claims,  will  be  employees  who  are 
engaged,  committed  and  loyal. 

In  the  book’s  first  section,  “Flow  and 
Happiness,”  Csikszentmihalyi  offers  insights 
into  flow  from  some  well-known  corporate 
leaders.  No  company  does  “good  business,” 
these  leaders  and  the  author  say,  unless  it 
both  improves  the  quality  of  life  of  the 
people  it  employs  and  makes  a  genuine  con¬ 
tribution  to  human  happiness. 

The  second  section,  “Flow  in  Organiza¬ 
tions,”  provides  practical  advice  for  man¬ 
agers  on  cultivating  flow  among  employees. 
First  and  foremost,  he  says  people  will 
encounter  flow  only  when  they  are  chal¬ 
lenged  enough  to  grow  and  learn,  yet  not  to 
a  degree  that  will  cause  stress  and  anxiety. 
Second,  to  foster  commitment,  business 
leaders  must  clearly  define  organizational 
goals  and  communicate  them  often. 
Employees  should  receive  immediate  feed¬ 
back,  and  executives  should  create  an  envi¬ 
ronment  that  promotes  concentration. 

In  the  book’s  final  section,  “Flow  and 
the  Self,”  Csikszentmihalyi  asks  the  busi¬ 
ness  leaders  of  the  first  section  how  they 
find  flow.  Here,  unfortunately,  the  book 
loses  its  workplace  focus.  The  responses 
are  so  obvious — know  yourself,  do  what 


Miramax  Books,  2002 


4  Now,  Discover  Your  Strengths:  The 
Revolutionary  Program  That  Shows 
You  How  to  Develop  Your  Unique  Talents 
and  Strengths— And  Those  of  the  People 
You  Manage 

By  Marcus  Buckingham  and 
Donald  0.  Clifton 
The  Free  Press,  2001 

3  Fish!  A  Remarkable  Way  to  Boost 
Morale  and  Improve  Results 

By  Stephen  C.  Lundin,  Harry  Paul  and 
John  Christensen 
Hyperion,  2000 

Execution:  The  Discipline  of  Getting 
Things  Done 
By  Larry  Bossidy  and  Ram  Charan 
Crown  Publishing  Group,  2002 

IGood  to  Great:  Why  Some  Companies 
Make  the  Leap. ..and  Others  Don’t 

By  Jim  Collins 

HarperCollins  Publishers,  2001 

SOURCE:  DATA  FROM  THE  WEEK  OF  MARCH  10.  2003. 
COMPILED  BY  BORDERS  GROUP.  ANN  ARBOR.  MICH. 


THE  NEW  BOOKSHELF 

“People  who  are  emotionally  committed  to 
something  behave  in  ways  that  defy  logic 
and  often  produce  results  that  are  well 
beyond  expectations.  They  pursue 
impossible  dreams,  work  ridiculous  hours 
and  resolve  unsolvable  problems.” 

From  Why  Pride  Matters  More  than  Money:  The  Power  of  the  World's  Greatest 
Motivational  Force,  by  Jon  R.  Katzenbach  (Crown  Publishing  Group,  April  2003) 


you  love  and  so  on — that  they  don’t  add 
any  substance.  By  relying  so  heavily  on 
advice  from  “visionary”  business  leaders, 
Csikszentmihalyi  loses  the  opportunity  to 
reinforce  his  theory  with  supporting 
insights  from  employees  at  those  compa¬ 
nies  where  he  has  found  flow  flourishing. 

-Megan  Santosus 


cio.com  For  more  good  reads,  visit 
READING  ROOM  at  www.cio.com/books 
and  Darwinmag. corn's  BOOK  ROOM  at 
www.darwinmag.com/connect/book. 
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want 


All  those  who 
more  wireless 
with  less  worry... 


Technology  Risk 

Wireless  networks  offer  businesses  several  advantages. 
Increased  mobility,  design  flexibility,  lower  costs.  But  as  with 
most  new  technologies,  design  focuses  on  functionality  -  not 
risk.  Wireless  technologies  do  not  have  the  physical  access 
restrictions  used  in  traditional  wired  environments.  They  make 
it  possible  for  someone  in  the  lobby  or  across  the  street  to  have 
access  to  a  network  carrying  patient  or  employee  information, 
sensitive  corporate  data,  or  trade  secrets. 

Are  your  wireless  access  points  configured  with  adequate 
security?  Has  your  business  taken  steps  to  prevent  hackers  from 
exploiting  your  information?  Do  you  know  your  vulnerabilities? 
“War  driving.”  “Net  stumbling.”  “War  chalking.”  “LAN  jacking.” 

From  wireless  to  business  continuity,  infrastructure 
management  to  security  and  privacy,  Protiviti  helps  you 
identify,  measure  and  manage  the  technology  risks  that 
threaten  your  business  objectives.  That  way,  you  can  manage 
your  risks,  not  just  react  to  them. 


Protiviti  is  the  leader  in  independent  risk  consulting  and 
internal  audit  services.  We  provide  international  services  for 
established  and  emerging  companies  to  help  them  inde¬ 
pendently  identify,  measure  and  better  manage  risk.  Our  Big 
Four  experience  ensures  years  of  expertise  in  a  wide  range  of 
industries.  So  whether  your  challenge  is  reporting  accurate 
results,  maximizing  the  value  of  technology  or  adopting 
business  controls  you  can  trust,  Protiviti  delivers  quantifiable 
solutions  that  make  a  difference...  Are  you  ready  to  Say  i? 


For  more  information  visit 

protiviti.com  or  call  1.888.556.7420 


Visit  KnowledgeLeader.com  today  for  a  free  30-day  trial. 

KnowledgeLeader.com  provides  exclusive  tools,  resources  and  best 
practices  to  help  internal  auditors  and  risk  professionals. 


Business  Risk  I  Technology  Risk 


2003  Protiviti  Inc. 
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MANAGEMENT 


Survival  Tips  for  Tight  Times 


AS  THE  ECONOMIC  DOWNTURN  HITS  YEAR  THREE,  how  are  CIOs  coping  with  continued  pressure  to  cut 
costs?  Five  CIOs  from  the  Information  Management  Forum,  an  association  of  senior  IT  and  business  execu¬ 
tives,  explained  their  approaches  during  a  roundtable  discussion  with  CIO  Deputy  Editor  Richard  Pastore  at 
the  IMF’s  recent  meeting  in  San  Diego.  For  the  complete  discussion,  go  to  www.cio.com/printlinks. 


LEE  LICHLYTER  i  vice  president  and  CIO 

at  Butler  Manufacturing,  engages  the  board. 

In  nonresidential  construction  supplies,  the 
past  18  months  have  been  brutal,  with  cap¬ 
ital  spending  way  down.  There’s  a  willing¬ 
ness  to  invest,  but  you’ve  got  to  show  the  proof. 

And  that  proof  has  gone  beyond  the  business 

level — I’ve  seen  more  awareness  at  the  board  of  directors  level 

than  I  ever  saw  before.  Their  questions  about  value  are  more 

insightful. 

Most  of  us  have  already  cut  all  the  discretionary  stuff.  If  there 
has  to  be  another  reduction,  you  sit  down  with  the  business  func¬ 
tions  and  ask  what  hurts  the  least  to  cut.  Invariably  they  choose 
to  reduce  service  levels  [such  as  the  help  desk]  because  that  feels 
less  painful  to  them  or  less  real.  It’s  not  always  the  best  choice,  but 
it  seems  to  be  the  easier  decision.  It’s  also  tempting  to  delay  a 
project  down  the  road  versus  stopping  something  that’s  active. 
But  sometimes  it  makes  more  sense  to  cut  a  current  project;  the 
next  project  may  have  a  better  payoff. 

WILLIAM  MILLER  ,  vice  president  of  IS  at  com¬ 
munications  company  Harris  Corp.,  prunes  staff. 

te  are  so  concerned  with  value  that  we  do  an 
ROI  assessment  and  sign-off  for  every  project 
over  $50,000  now.  We  have  two  executive  sig¬ 
natures  on  each  project — the  business  unit  CIO  and 
the  financial  controller,  or  if  it’s  a  larger  project,  it’s  the 
president — so  there’s  no  finger-pointing  down  the  road. 
Also,  we  have  redoubled  our  efforts  to  manage  poor  per¬ 
formers  out  of  the  business.  With  the  industry  suffering,  there’s 
very  low  turnover;  everybody  is  laying  low.  They’re  generally  not 
going  to  leave  on  their  own.  So  it’s  important  to  actively  work  the 
poor  performers  out.  Make  sure  your  management  team  under¬ 
stands  that  they  won’t  be  punished  in  terms  of  resource  short¬ 
ages  if  these  people  leave.  It’s  not  fair  to  the  rest  of  the  workforce 
who  are  busting  their  humps  in  tough  times  to  have  these  poor 
performers  by  their  side,  not  carrying  their  weight. 

DORON  COHEN  r  senior  vice  president  and  CIO  at 
Canada  Life  Assurance,  shuns  software  upgrades. 

In  insurance,  IT  is  the  product  pipeline.  Shrinking  IT 
costs  can  improve  efficiency  but  can  also  reduce 
production  capability  or  slow  down  the  ability  to 
launch  new  products. 

In  the  past,  any  crafty  IT  manager  could  force 


3  2 


CIO  APRIL  15,  2003 


www.c/o.com 


his  company  to  make  an  investment  in  upgrading  software  just 
by  pulling  out  the  “this-software-is-no-longer-supported”  card 
from  his  sleeve.  This  does  not  work  anymore;  our  manage¬ 
ment  is  now  saying,  “So  what?  So  the  application  will  be  three 
generations  behind?”  The  most  cost-effective  IT  solution  in 
many  areas  is  using  software  that’s  five  or  six  years  behind  the  cur¬ 
rent  version.  I’m  not  happy  with  that  because  sometimes  we  are 
shooting  ourselves  in  the  foot.  But  when  it’s  $3.5  million  just  to 
migrate  to  the  latest  version  of  an  application.... 

ABBE  M.  MULDERS,  executive  director  and  CIO  at  Dow 

Coming,  benchmarks  in-house  IT  costs. 

Our  company  did  a  competitive  assessment  of  the  internally 
delivered  IT  services  to  compare  our  in-house  costs  to  the 
marketplace.  We  wanted  to  determine  if  the  businesses 
would  gain  further  value — mostly  centered 
around  costs — from  an  outsource  provider. 
Overall,  the  assessment  proved  that  we 
were  delivering  the  agreed-upon  services  at  or 
below  the  market  rates.  The  assessment 
results  were  reviewed  with  the  business  unit 
leaders  to  gain  their  approval  to  retain  the 
internal  sourcing  for  the  services.  The  business 
general  managers  accepted  the  recommendations 
and  agreed  to  annual  market  price  benchmarks  to  keep  our  inter¬ 
nal  IT  costs  aligned  with  what  is  happening  in  the  marketplace. 

CECIL  SMITH  ,  senior  vice  president  and  CIO  at  Duke 

Energy,  avoids  megaprojects. 

We  are  highly  cash  conscious  and  are 
not  going  to  spend  more  capital 
than  we  can  generate  out  of  the 
energy  trading  and  marketing  business.  In 
IT,  we  are  reemphasizing  the  basics  with  a 
focus  on  critical  projects  such  as  risk  man¬ 
agement  and  converting  and  integrating 
acquisitions.  We  don’t  have  any  large  and  loom¬ 
ing  projects  on  which  to  spend  $10  million.  We’re  continuing  to 
invest  in  baseload  application  maintenance. 

One  problem  with  outsourcing  to  cut  costs  is  that  it  can  take 
you  a  long  time  to  realize  the  benefits.  If  you  started  right 
now  and  you  try  to  outsource  your  IT  operations — to  IBM, 
EDS  or  CSC — it  will  take  them  three  to  six  months  to  ana¬ 
lyze  your  operation  and  write  a  contract,  and  then  six  to 
nine  months  to  convert  operations  to  the  outsourcer. 
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About  This  Report 

In  late  2002,  Deloitte  e[  Touche  and 
the  IDG  Research  Services  Group 
teamed  up  to  conduct  a  study  of  200 
IT  leaders  at  companies  with  $250 
million  to  $5  billion  in  annual  rev¬ 
enue.  The  primary  objective  of  the 
study:  to  determine  how  companies 
are  utilizing  and  evaluating  the  value 
of  their  IT  investments. 

This  report,  Achieving ,  Measuring 
and  Communicating  IT  Value,”  is  a 
result  of  the  Deloitte  e[  Touche/IDG 
Research  study  and  includes: 

•  In-depth  survey  and  management 
analysis  by  Deloitte  e[  Touche 
thought-leaders; 

•  Survey  results  presented  in  graphic 
illustrations; 

•  Vertical  industry  analysis  of  survey 
results  and  current  trends  by  Deloitte 
el  Touche  experts; 

•  The  Deloitte  s[  Touche  IT  Value 
Management  Framework — a 
seven-step  toolkit  for  creating  and 
communicating  IT  value. 

For  more  information  about  this 
report  or  the  IT  Value  study,  please 
visit  www.deloitte.com/us/mss. 
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Achieving ; 

Measuring  and 
Communicating 
IT  Value 


A  TOOLKIT  TO  HELP  PROACTIVE 
CIOS  STRENGTHEN  IT  PORTFOLIOS 
IN  A  WEAK  ECONOMY 

FRAMING  THE  PROBLEM 

" Where  can  we  improve  service  and  add  value  even  as  we 
look  at  additional  ways  to  cut  costs?” 

“What  can  we  do  to  change  a  corporate  mind-set  that  sees 
IT  as  a  cost  center,  not  as  the  value  center  it  really  is?” 

“Are  there  better  ways  for  us  to  identify,  measure  and 
communicate  IT  value?” 

These  questions  exemplify  the  CIO’s  dilemma:  how  to  deliver — 
and  be  recognized  for  delivering — greater  IT  value.  It’s  a  daunt¬ 
ing  challenge,  and  one  that  today’s  CIO  tackles  in  the  face  of 
some  hard  truths:  one,  a  strong  belief  that  enterprises  consis¬ 
tently  undervalue  Information  Technology;  and  two,  the  frank 
admission  by  CIOs  that  they  aren’t  getting  the  job  done  when  it 
comes  to  quantifying  the  value  IT  delivers. 

The  issues  driving  the  CIO’s  dilemma  come  into  clear  focus  in  a 
thought-provoking  new  survey  of  200  global  IT  executives  con¬ 
ducted  by  Deloitte  &  Touche  and  IDG  Research  in  late  2002.  In 
this  exclusive  survey,  which  included  enterprises  in  the  $250 
million  to  $5  billion  range  in  financial  services,  retail/ wholesale/ 
distribution,  and  government,  results  show: 

Nine  out  of  10  IT  executives  at  the  director  level  or  above  say 
that  IT  value  is  either  critical  or  very  important  to  their  company, 

but... 

two  out  of  every  three  acknowledge  that  IS  groups  have  not  been 
successful  in  measuring  and  communicating  IT  value. 

And... 

nearly  half  of  the  respondents  say  that  executive  management 
consistently  understates  the  value  of  information  technology. 
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Given  their  admitted  failure  to  make  a  compelling  case  for  the 
value  IT  delivers,  it  is  not  surprising  that  nearly  two-thirds  of 
respondents  say  they  are  not  included  in  enterprise  strategy 
development,  and  84  percent  report  they  are  not  among  the 
decision  makers  who  assess  IT  value. 

“The  disconnect  is  there,  and  most  CIOs  see  it  as  a  significant 
challenge  to  overcome,”  says  Dean  Nelson,  who  leads  Deloitte  & 
Touche’s  U.S.-based  Integration,  Development  and 
Infrastructure  practice,  which  focuses  on  assisting  organizations 
from  IT  strategy  to  Web  application  development.  “CIOs  know 
that  they’ve  got  to  increase  the  value  IT  delivers,  but  they  realize 
it’s  equally  important  that  they  are  able  to  quantify  that  value 
and  communicate  that  value  clearly.” 

The  survey  results  buttress  what  Deloitte  &  Touche  consultants 
see  and  hear  daily  in  their  global  engagements.  “It’s  a  crucible  for 
CIOs,”  says  Paul  FitzGerald,  a  principal  in  the  Integration, 
Development  and  Infrastructure  practice.  “They  are  being  asked  to 
make  a  difference  in  how  technology  is  used;  they  are  being  asked 
to  reduce  costs;  and  they  must  have  at  least  one  great  vision  of  the 
future.  It’s  hard  to  do  that  if  you  don’t  have  a  definitive  way  of  set¬ 
ting  realistic  expectations,  and  the  ability  to  measure  performance 
against  those  expectations.  These  factors  contribute  to  the  brief 
tenure  of  CIOs,  which  averages  18  to  24  months.” 

In  the  survey,  88  percent  of  CIOs  say  that  although  their  individ¬ 
ual  performance  assessment  is  linked  to  demonstrating  the  value 
of  IT  to  the  enterprise,  there  are  several  factors  that  prevent  opti¬ 
mum  results.  Chief  among  the  obstacles:  IT  funding  levels  and 
existing  performance  measurement  criteria.  Nearly  60  percent  of 
survey  respondents  report  that  IT  budgets  are  flat  or  will  decline 
this  year,  and  99  percent  say  that  they  must  manage  IT  on  a 
series  of  cost-driven,  rather  than  value-driven,  metrics. 


"CIOs  know  that  they've  got 
to  increase  the  value  IT 
delivers,  but  they  realize  it's 
equally  important  that  they 
are  able  to  quantify  that 
value  and  communicate  that 
value  clearly." 


yfM  Dean  Nelson,  leader  of  Deloitte  & 
KF||  Touche's  Integration,  Development 


IT  SPENDING:  82%  SAY  IT  BUDGETS 
STAY  FLAT  OR  GROW  IN  '03 

When  asked  what  they  expect  their 
companies  to  spend  on  IT  in  2003, 
respondents  said: 


Between 


Between 


Jeff  Plewa,  who  leads  Deloitte  &  Touche’s  global  Integration, 
Development  and  Infrastructure  practice,  notes  that  the  budget 
constraints  are  attributable  to  both  the  economic  downturn  and 
a  post-dot-com  technology-spending  backlash  that  has  led  busi¬ 
ness  executives  to  wield  an  especially  sharp  budget  axe.  Budget 
relief  is  not  in  sight. 


Asked  whether  their  companies  IT 
budgets  would  grow,  shrink  or  stay  flat: 


While  CIOs  express  frustration  that  decision-makers  in  their 
enterprises  view  technology  as  a  commodity  and  use  cost-orient¬ 
ed  evaluations  such  as  decreasing  costs  or  return  on  investment 
(ROI),  survey  results  identify  no  clear  consensus  among  CIOs 
on  top  IT  priorities  and  hence  no  alternative  to  the  status  quo. 
When  asked  to  identify  their  top  priorities; 

•  18  percent  said  “upgrading  hardware  and  software” 

•  14  percent  said  “cost  reduction” 

•  14  percent  said  “security.” 
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TOP  IT  PRIORITIES 

Respondents  were  asked  on  an  unaided 
basis  to  name  their  companies' top  three 
IT  priorities  for  the  next  1 2  months: 


Upgrading  hardware/software 

Cost  reduction 

14% 

14% 

Security 

18% 


ERP  implementation 
CRM  I 


|13% 

11% 


Additionally,  respondents  were  asked  to 
name  the  top  three  IT  projects  they  will 
pursue  during  the  next  1 2  months: 


“The  responses  are  all  over  the  map,”  says  Plewa.  “I  bet  that  five 
years  ago  at  least  40  percent  would  have  said  something  like 
ERP.  CIOs  just  don’t  seem  to  have  a  peg  on  which  to  hang  their 
priorities  today.” 

That  lack  of  clear  priorities  is  among  the  reasons  why  IT  execu¬ 
tives  struggle  to  articulate  the  value  of  IT.  Nelson,  FitzGerald 
and  Plewa  say  CIOs  must  overcome  this  challenge — stressing 
that  not  only  must  IT  priorities  and  initiatives  be  clear,  but  CIOs 
also  must  be  able  to  explain  them  and  demonstrate  their  value 
in  terms  that  are  relevant  to  senior  business  executives. 

“Most  business  executives  measure  the  value  of  their  business 
in  terms  such  as  market  share,  debt-to-equity  ratio  and  inventory 
turns,  but  in  IT  today  that  isn’t  the  case,”  Nelson  says.  “In  IT, 
value  is  all  about  costs,  with  most  companies  using  measure¬ 
ments  such  as  IT  spend  per  employee  or  IT  operating  budget  as 
a  percent  of  revenue.  We  don’t  believe  these  are  the  best  meas¬ 
ures  of  IT  effectiveness  and  worth.” 


Web  development/ 
increase  Web  services 


ERP  implementation 


Hardware/ 
software  upgrades 


Nelson  draws  on  a  variety  of  resources — including  custom 
research  and  surveys  such  as  the  current  one — and  on  Deloitte 
&  Touche’s  global  experience  to  inform  his  view. 

“We’ve  talked  at  length  to  hundreds  of  clients  in  many  vertical 
industries  about  IT  value,”  he  says.  “And  we’ve  spent  years  as 
the  valued  business  advisor  to  hundreds  of  companies  seeking 
to  solve  this  problem.” 

Drawing  upon  this  depth  of  knowledge  and  broad  experience, 
Deloitte  &  Touche  has  created  an  IT  Value  Management 
Framework  designed  to  enable  the  typical  “cost-centered”  IT 
group  to  transition  itself  into  one  that: 


INDUSTRY  INSIGHT: 

Doug  Engel  on  Trends  in 
Manufacturing 

IT  value  in  the  manufacturing  industry  is 
a  very  granular  concept — leaders  want  to 
get  very  specific  indeed  about  how  their 
money  will  generate  value. The  Deloitte  & 
Touche/IDG  Research  survey  finds  that  60 
percent  of  manufacturing  CIOs  cite 
"decreased  costs" as  the  primary  measure¬ 
ment  of  IT  value— a  higher  number  than 
in  any  other  industry  segment.  And  given 
the  fact  that  the  manufacturing  segment 
reported  the  highest  number  of  respon¬ 
dents  facing  IT  budget  cuts  (23  percent)  in 
2003,  granular  is  the  way  to  go.These  IT 


leaders  need  to  know  exactly  where  the 
money  is  going,  and  what  the  return  will 
be,  before  they  can  disburse  funds. 

"It's  all  about  creating  value  from 
obtaining  very  specific  objectives,  such  as 
supply  chain  velocity  or  better  procure¬ 
ment  processes,"  says  Doug  Engel,  the 
national  manufacturing  industry  leader  for 
Deloitte  &Touche."lf  the  CIO  is  going  to 
spend  $20  million  on  a  new  ERP  imple¬ 
mentation,  the  CEO  wants  to  know  what 
he's  going  to  get,  and  being  able  to  close 
the  books  four  days  earlier  won't  be 
enough.  He'll  want  a  specific,  payback- 
focused  approach." 

With  that  in  mind,  it's  not  surprising  to 
find  that  the  big  IT  value  trends  in  manu¬ 
facturing  focus  on  getting  good  IT  value 


without  spending  on  huge  projects.  Engel 
points  out  the  following  manufacturing 
industry  trends: 

Simplifying  IT  environments.  Many 
manufacturing  companies  have  large 
legacy  environments  that  have  sprawled 
out  of  control  as  companies  grow  and 
acquire  new  businesses."lt's  become  a 
very  high-cost,  high-maintenance  envi¬ 
ronment,"  say  Engel. "So  many  businesses 
are  either  simplifying  the  architecture  or 
outsourcing."Those  choosing  the  first 
route  are  standardizing  common  prod¬ 
ucts  and  implementing  a  highly  similar  IT 
architecture  across  the  company. 

Choosing  shared  services.  Another 
popular  variant  is  to  build  a  shared  services 
type  of  IT  organization.  Instead  of  each  divi- 
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•  generates  additional  IT  value, 

•  measures  IT  value  more  effectively,  and 

•  makes  sure  that  IT  value  is  understood  and  recognized  at  all 
levels  of  the  enterprise. 

Deloitte  &  Touche  believes  the  IT  Value  Management 
Framework  can  help  CIOs  develop  the  capabilities  that  are 
essential  if  they  expect  to  play  a  key  role  in  their  enterprise — 
understanding  strategy;  performance  visibility;  IT  alignment; 
value-oriented  metrics;  and  effective  communication  skills. 

By  taking  advantage  of  the  new  approaches  Deloitte  &  Touche 
has  developed,  CIOs  can  learn  to  apply  their  skills  to  pinpoint 
the  value  gaps  in  their  organization,  and  then  help  move  from  a 
tactical — keeping  the  lights  on — focus  to  a  strategic  focus  that 
applies  business-centered  competencies  to  the  IS  organization. 

“It’s  a  vital  goal,  but  it  is  not  simple  to  achieve,”  says  Nelson. 
“But  when  the  IT  group  is  truly  viewed  as  a  strategic  business 
partner,  when  its  worth  is  measured  by  how  much  revenue  it 
generates  and  not  how  much  money  it  saved  by  reducing  head- 
count,  the  CIO  will  have  a  place  at  the  decision-makers’  table.” 


Manai 
as 


%g^ITr  i . 

c f  Portfolio 


'It's  a  good  business  practice 


to  manage  IT  as  a  portfolio 
of  applications.  By  under¬ 


standing  where  in  the 
portfolio  their  investments 
fall, CIOs  can  align  their  goals 


with  business  priorities." 


JeffPlewa,  leader  of  Deloitte  & 
Touche's  global  Integration, 
Development  and  Infrastructure 
practice 


THE  DELOITTE  &  TOUCHE  IT  VALUE  MANAGEMENT  IT  DEPARTMENT'S  ROLE  WITHIN 

FRAMEWORK:  A  7-STEP  PROCESS  COMPANY 


1 .  Survey  the  business 

Finding  out  how  the  enterprise  views  IT,  versus  how  IT  views 
itself,  is  a  vital  step  in  aligning  both  business  and  IT  expecta¬ 
tions.  To  attain  this  result,  Nelson  recommends  a  Deloitte  & 
Touche  tool  called  the  IT  Value  Profile. 


Which  of  the  following  best  describes 
the  IT  department's  role  within  your 
company? 


Strategic  Business  Partner  44.5% 
joint  developer  of  business  strategy 


sion  or  function  owning  its  own  IT 
group,  companies  are  building  shared 
services  centers  that  everybody  must 
use. "The  data  center  serves  a  bigger 
piece  of  the  organization,"  says  Engel. 
"It's  consolidation  of  operations  at  the 
same  time." 

Tactical  ERP.  Getting  funding  for  a 
massive  infrastructure  project  such  as 
ERP  is  difficult  at  best  these  days.The 
attitude  is  that  these  types  of  expendi¬ 
tures  can  be  delayed.  So  CIOs  are  tak¬ 
ing  a  different  approach.  Instead  of 
putting  in  the  ERP  backbone  first, 
many  have  put  in  smaller  modules, 
such  as  procurement. "They're  recog¬ 
nizing  that  it  won't  be  quite  as  effec¬ 
tive  without  the  data  backbone,"  says 


Engel. “But  you  can  get  some  payback 
out  of  the  box,  and  as  you  implement 
the  rest  of  ERP  it  will  only  get  better."  In 
fact,  the  savings  provided  by  the  small¬ 
er  pieces  provide  a  greater  incentive 
for  the  Board  to  give  the  green  light  to 
the  rest  of  the  project. 

All  this  boils  down  to  CIOs  who 
have  become  canny  operators  in  a 
hungry  business  world. "CIOs  are 
much  smarter  about  engaging  busi¬ 
ness  leaders  and  process  leaders 
more  than  before," says  Engel. That 
can  only  help  boost  the  perceived 
and  real  value  of  IT. 

Doug  Engel  may  be  reached  at 
dengel@deloitte.com 


Services  Provider  22% 

supplier  of  technical  services  in  response 
to  business  strategy 

Joint  Business  Contributor  1 5.5% 

involved  in  business  strategy  development 


Critical  Business  Leader  12% 

Leads  business  strategy  development 


Technology  Utility  Supplier  3% 

Cost-sensitive  provider  of  technology  services 

■ 

Technology  Custodian  2.5% 

Provider  of  tactical  technology  solutions 

I 

Don't  know/refused  0.5% 
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Establish  .  r  1 
Meaningful 
Metrics 

"If  the  CIO  wants  to  be  taken 


seriously,  he  needs  to  do  what 
other  executives  do  and  have 
his  own  business  metrics  and 


performance  measurements 
so  that  he  can  effectively 
measure  his  internal  business 
performance." 

Paul  FitzGerald,  principal  in 
Deloitte  &  Touche's  Integration, 

Development  and  Infrastructure 
practice  in  the  U.S. 


The  profile  starts  with  a  survey  of  both  IT  executives  and  enter¬ 
prise  business  leaders  on  their  views  of  the  IT  organization.  “We 
ask  a  series  of  questions  on  topics  such  as  planning,  risk  manage¬ 
ment,  portfolio  management  and  cost  measurements,”  Nelson 
says.  Based  on  the  answers,  the  company  establishes  its  IT  Value 
Profile  and  is  designated  a  Leader,  Partner,  Utility  or  Commodity. 

“If  the  survey  responses  indicate  that  the  organization  sees  the 
strategic  values  of  IT  as  high  and  the  cost  of  IT  as  secondary  to 
the  business  strategy,  they’d  be  designated  a  Leader,”  he  says. 

“The  IT  Value  Profile  defines  the  role  the  business  expects  IT  to 
play  in  the  enterprise,  and  it  should  drive  the  objectives  and  pri¬ 
orities  of  IT,”  Nelson  adds.  IT  executives  can  use  this  information 
to  compare  how  the  enterprise  views  IT  versus  how  IT  views 
itself,  and  address  any  disconnect  between  the  two  perspectives. 

And  there  typically  is  a  disconnect,  Nelson  confirms.  “But  this 
can  spark  some  great  conversations.  For  example,  if  the  enter¬ 
prise  views  IT  as  a  Leader,  but  they  are  funding  it  like  a 
Commodity,  that  is  something  that  needs  to  be  addressed.” 


2.  Evaluate  the  budget  and  priorities 


SUCCESS  OF  COMPANY'S 
ATTEMPTSTO  MEASURETHE 
VALUE  OF  IT  INVESTMENTS 

Overall,  how  successful  has  your  company 
been  in  its  attempts  to  measure  the  value 
of  its  IT  investments? 


Extremely 

successful 


1.5% 


Not  at  all 
successful 

Dont  1.5% 
know/ 

refused 


INDIVIDUALS  DETERMINING  IT 
VALUE  AT  COMPANY 

Who  is  determining  IT  value  at 
your  company? 


Executive  management 

(CEO,  President,  Owner,  etc.) 


Business  Unit 
Management 


58.5% 


IT  Management 


|  Other  7.5% 


54% 


This  is  part  of  an  IT-wide  process  of  determining  the  value  of 
each  IT  project,  and  making  sure  that  spending  levels  are  appro¬ 
priate  for  the  expected  value  of  each  program.  “By  examining 
how  IT  organizations  allocate  scarce  resources,  we  can  infer 
what  their  priorities  are,”  says  Nelson.  “This  involves  really  dig¬ 
ging  into  the  budget.  This  exercise  requires  IT  executives  to 
break  apart  the  budget  and  allocate  it  into  certain  processes.” 

The  IT  budget  can  be  broken  into  what  Deloitte  &  Touche  calls 
nine  different  “process  families”: 

•  managing  IT  business  value 

•  providing  enterprise  IT  management  systems 

•  managing  IT  portfolio /budgeting 

•  managing  organization  structure  and  skills 

•  realizing  solutions 

•  deploying  solutions 

•  delivering  operational  services 

•  managing  IT  assets  and  infrastructure 

•  satisfying  customer  relationships. 

By  comparing  actual  dollars  spent  versus  the  budgeted  amount, 
along  with  the  cost  of  full-time  equivalents  devoted  to  each 
process  family,  an  enterprise  can  arrive  at  the  percentage  of 
resources  allocated  to  each  group.  This  is  the  first  step  toward 
the  concept  of  portfolio  management,  says  Nelson. 

3.  Initiate  portfolio  management 

“It’s  a  good  business  practice  to  manage  IT  as  a  portfolio  of 
applications,”  says  Plewa.  “By  understanding  where  in  the  port- 
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folio  their  investments  fall,  CIOs  can  align  their  goals  with  busi¬ 
ness  priorities.” 

For  example,  he  cites  a  recent  analysis  for  a  Deloitte  &  Touche 
client.  “Out  of  70  people  in  IT,  they  only  had  six  supporting  the 
applications  that  make  up  80  percent  of  their  portfolio.  We  were 
scratching  our  heads,  because  it  looked  to  us  as  if  they  should 
have  had  more  like  25  or  30  people  in  that  capacity.” 

The  portfolio  management  model  divides  IT  projects  into  three 
categories  of  ascending  risk  and  potential  value: 

•  “Keep  the  Lights  On”  —  core  and  non-discretionary  spending 

•  “Advance  the  Ball”  —  enhancements  and  upgrades 

•  “Change  the  Rules”  —  applying  new  strategic  IT  tools. 

Once  CIOs  classify  their  IT  portfolios  by  category,  they  can  check 
to  see  whether  their  emphasis  matches  the  IT  value  profile. 

“Each  section  of  the  portfolio  should  show  different  and  appropri¬ 
ate  levels  of  return,  according  to  the  company’s  IT  value  profile,” 
says  Nelson,  adding  that  CIOs  can  use  the  data  to  adjust  spend¬ 
ing  appropriately.  “Say  you’re  spending  80  percent  of  your  budget 
on  keeping  the  lights  on.  That’s  all  right  if  you’re  an  enterprise 
with  a  Commodity  profile,  but  if  you  found  that  the  organization 
wants  IT  to  act  as  a  Partner,  then  the  way  that  enterprise  allocates 
money  for  IT  will  change.  It  keeps  coming  back  to  making  sure 
that  IT  and  business  goals  are  aligned,”  he  says. 


MEASUREMENT  METHOD  OF  VALUE 
OF  COMPANY'S  IT  INVESTMENTS 

How  is  the  value  of  your  company's  IT 
investments  measured? 


Decreased  costs 


Increased  productivity 


1 80.5% 
180% 


164.5% 


JLJLliUi 


Total  cost  of  ownership 
orTCO 


Increased  revenues 


Length  of  time  to  payback 


56% 
54.5% 
54% 
44.55% 
42.5% 


Reduced  head  count 


Specific  ROI  formula 
or  benchmark 


Discounted 
cash  flow 


Other 


11% 

Don't  know/refused  0.5% 

IT  value  isn't  currently  measured  0.5% 
at  my  company 


The  end  game  as  always  is  to  make  sure  that  IT  initiatives  sup¬ 
port  business  objectives. 


4.  Analyze  IT  operations 

“If  the  CIO  wants  to  be  taken  seriously,  he  needs  to  do  what 
other  executives  do  and  have  his  own  business  metrics  and  per¬ 
formance  measurements  so  that  he  can  effectively  measure  his 
internal  business  performance,”  says  FitzGerald.  “Other  busi¬ 
ness  departments  have  them,  but  CIOs  generally  don’t  because 
IT  has  always  been  viewed  as  a  cost  center.” 

Measurements  in  IT  tend  to  be  vague  and  lacking  in  context. 
“You  can  say,  ‘I  had  10  projects  last  year,  and  I  did  them  well,”’ 
says  FitzGerald.  “But  there  is  no  real  business  measurement 
there.  How  many  projects  should  you  have  had?  Did  you  really 
have  the  capacity  to  handle  14  projects,  for  example?” 

To  this  end,  both  Nelson  and  FitzGerald  recommend  that  CIOs 
explore  running  their  area  more  like  a  service  operation  rather 
than  a  cost  center,  and  develop  metrics  that  track  the  performance 
of  the  IS  staff,  as  well  as  the  equipment  comprising  the  applica¬ 
tions,  infrastructure  and  networks  under  the  CIO’s  control. 


ACCURACY  OF  EXECUTIVE 
MANAGEMENT'S  PERCEPTION  OF 
TECHNOLOGY  VALUE 

Would  you  say  that  executive 
management's  perception  of  technology 
value  to  your  company  is  accurate? 


No, 
value  is 
overstated 


The  first  step,  they  say,  is  to  implement  Service  Level  Agreements 
(SLAs)  with  business  units.  “If  I’m  a  CIO  and  I  don’t  have  SLAs, 
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Service  Center 
Mode :  Using  SLAs 

"If  IS  is  now  providing  a  service, 
they  need  to  understand  where 
the  service  is  being  used  to  be 
properly  recompensed  ...to 
demonstrate  where  the  value  is." 

Paul  FitzGerald,  principal  in 
Deloitte  &  Touche's  Integration, 

Development  and  Infrastructure 
practice  in  the  US. 

THE  BEST  METHODS  FOR 
MEASURING  ITVALUE 

Regardless  of  how  respondents  are 
measuring  IT  value,  most  report  that  the 
following  methods  are  the  single  most 
accurate  reflector  of  IT  value: 


Increase  in  productivity 

Total  cost  of  ownership 

16% 

Specific  ROI  formula  or 
benchmark 

16% 

Project  is  up  and  running 
within  a  certain  time 

|15% 

Increased  revenues 


that’s  the  first  thing  to  get  in  place,”  says  FitzGerald.  “It  sets  the 
expectation  on  the  technical  areas  of  the  CIO’s  operations.  At  a 
minimum,  they  should  set  up  what  is  expected  and  what  levels  of 
service  the  equipment  will  provide.” 

Underlying  SLAs  should  be  some  sort  of  charge-back  system 
with  business  units,  particularly  when  it  comes  to  apportioning 
staff  time.  “If  IS  is  now  providing  a  service,  they  need  to  under¬ 
stand  where  the  service  is  being  used  to  be  properly  recom¬ 
pensed  ...  to  demonstrate  where  the  value  is,”  says  FitzGerald. 

Nelson  points  out  that  professional  services  automation  (PSA) 
software — such  as  applications  sold  by  Lawson,  PeopleSoft  and 
Changepoint — exists  to  help  IT  workers  bill  their  hours.  “Good 
software  will  tell  you  how  much  time  people  are  devoting  to 
each  project,  and  whether  they  are  completing  what  they  say 
they  will,”  he  says. 

The  second  part  of  the  IT  operations  equation  is  computer 
equipment,  and  CIOs  must  have  a  firm  handle  on  how  that 
equipment  is  being  used.  “There  is  software  to  help  with  the 
people  picture,  and  there  are  other  products  that  can  monitor 
hardware  performance  ...  things  like  network  and  server 
uptime,”  FitzGerald  says. 

Finally,  CIOs  need  to  institute  lifecycle  management  with  their 
applications  and  computer  equipment.  “The  majority  of  IT 
organizations  don’t  have  any  idea  of  the  lifecycle  of  an  applica¬ 
tion — how  long  they  want  it  to  last,  when  it  needs  to  be  refur¬ 
bished,  replaced  or  disposed  of,”  says  FitzGerald.  “Lacking  this 
knowledge,  it’s  easy  for  applications  to  linger  long  after  they 
should  be  gone,  and  for  companies  to  spend  far  too  much 
money  maintaining  ailing  applications.  For  example,  at  the  time 


INDUSTRY  INSIGHT: 

Randi  Brosterman  on 

Trends  in  Financial 

Services 

Things  are  tough  ail  over,  but  nowhere 
more  so  than  in  the  financial  services 
industry,  which  has  been  marked  by  stock 
market  turbulence  and  the  fallout  from 
corporate  accounting  scandals.  "There 
continues  to  be  a  lot  of  focus  on  cost- 
reduction  in  the  financial  services  indus¬ 
try,"  says  Randi  Brosterman,  the  National 
Financial  Services  Industry  Leader  for  the 
Management  Solutions  Practice  at 
Deloitte  &  Touche. 


Despite  the  cutting  and  turmoil,  this 
sector  continues  to  invest  in  technology. 
Almost  47  percent  of  financial  services 
CIOs  surveyed  say  that  they  plan  to 
increase  their  technology  budgets  in  2003, 
versus  14.3  percent  who  will  decrease.  But 
even  with  increased  spending,  these  CIOs 
place  a  high  premium  on  IT  value:  nearly 
90  percent  of  those  surveyed  consider  IT 
value  either  critical  or  very  important  to 
their  company. 

In  fact,  Brosterman  says  that  smart  finan¬ 
cial  services  companies  are  using  technolo¬ 
gy  as  a  strategic  tool  that  is  integral  to  the 
business.  "They  are  starting  to  get  at  the 
value  of  IT  as  opposed  to  just  cost  reduc¬ 
tion,"  she  says.  Brosterman  says  the  follow¬ 


ing  trends  are  gaining  popularity: 

Selective  outsourcing.  Large  financial 
services  institutions  are  traditionally  do-it- 
yourselfers  when  it  comes  to  IT/'But  out¬ 
sourcing  has  gained  a  foothold  that  wasn't 
there  before,” says  Brosterman,  who  cites 
JP  Morgan's  recent  deal  with  IBM  as  an 
example.  One  popular  outsourcing  trend 
is  to  send  certain  activities,  such  as  call 
centers,  overseas.  India  is  one  popular 
venue,  and  Brosterman  says  that  a  signifi¬ 
cant  number  of  programming  jobs  are 
going  overseas  as  well. 

Data  center  consolidation.  Many 
financial  services  companies  are  centraliz¬ 
ing  some  aspects  of  their  IT  model  in  the 
name  of  cost  reduction. "Wherever  possi- 


8  IT  VALUE 


CIO  ADVERTISING  SUPPLEMENT 


you  put  in  an  accounting  system,  you  should  know  when  you’re 
going  to  replace,  refurbish  or  get  rid  of  that  system.” 

5.  Measure  performance  using  appropriate  metrics 


the  . 
it  to.  the 
eople 


After  instituting  measurement  methods,  it  is  vital  to  use  the  data 
to  establish  IS  metrics  that  highlight  the  value  of  IT. 

Nelson  likes  the  idea  of  a  “CIO  Dashboard,”  or  software  that  can 
integrate  the  various  streams  of  data  into  one  place  to  show  the 
important  value  indicators  that  help  the  CIO  manage  the  per¬ 
formance  of  an  organization,  according  to  the  right  measures. 

“The  key  here  is  to  find  the  right  things  to  measure,  and  modify 
targets  based  on  experience  and  benchmarking,”  says 
FitzGerald.  “There  are  plenty  of  dashboards,  for  example,  that 
measure  mechanical  things  such  as  server  and  network  uptime, 
how  fast  requests  for  enhancements  get  fulfilled,  or  help  desk 
metrics.  But  what  we  don’t  see  are  dashboards  for  IT  executives 
that  tell  them  whether  they  are  providing  value  for  the  money 
spent.” 

“These  dashboards,”  he  continues,  “would  measure  things  such 
as  staff  utilization,  the  health  of  the  application  suites  and  infra¬ 
structure,  and  asset  management  by  portfolio.  If  the  top  five  or 
six  people  in  the  IT  group  can  see  those  things  relatively  easily 
and  can  use  the  dashboard  to  drill  down  further  into  the  issues 
and  problems,  it  will  help  add  value.” 

The  key  is  to  keep  it  relatively  simple,  and  to  make  sure  the 
data  is  timely.  “A  dashboard  that  tells  you  how  fast  you  were 
going  io  minutes  ago  isn’t  helpful  when  you’re  coming  up 
on  a  police  car,”  FitzGerald  says.  “If  I  have  people  recording 
their  time  on  a  weekly  basis,  I  should  get  that  information 


"Once  IT  executives  get  their 
performance  measurements 
in  place,  they  need  to  share 
the  value  metrics  through¬ 
out  the  company.  One  of  the 
first  places  this  should 
happen  is  at  the  executive 
committee  meetings. 
Technology  strategy  should 
absolutely  be  on  the  table 
there.  Don't  get  muddled  in 
technical  details,  but  put 
together  a  presentation 
executives  can  relate  to." 

Jeff  Plewa,  leader  of  Deloitte  & 
Touche's  global  Integration, 
Development  and  Infrastructure 
practice 


ble,  companies  are  standardizing  tech- 

business  are  not  as  well-aligned  as 

nologies  and  renegotiating  contracts," 

they  could  be,"  she  says. "The  onus  is 

Brosterman  says."Many  of  the  activi- 

on  the  CIO  to  be  an  effective  senior 

ties  in  IT  are  externally  purchased,  and 

executive  at  communicating  the 

anytime  you  purchase  something 

value  of  IT  and  partnering  effectively 

externally  there  is  the  opportunity  to 

with  business  units." 

renegotiate  the  contract  and  bring 

In  the  end,  that's  what  will  help 

down  costs." 

financial  services  companies  continue 

Increased  leadership  by  the  CIO. 

to  wring  a  full  measure  of  worth 

As  companies  seek  to  draw  value 

from  their  IT  budgets.  "IT  is  more 

from  IT,  many  have  found  that  IT  must 

important  today  than  ever  before," 

be  perfectly  aligned  with  business 

Brosterman  says. "Its  importance  has 

goals  to  produce  the  biggest  bang 

always  been  accepted,  but  it's 

for  the  buck.  And  for  that  to  happen, 

mission-critical  now."# 

the  CIO  must  become  an  effective 

translator  of  IT  value. "There  are  too 

Randi  Brosterman  may  be  reached  at 

many  companies  where  IT  and  the 

rbrosterman@deloitte.com 
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immediately  so  I  can  see  where  people  are  deployed  and 
where  I  have  extra  capacity,  for  example.” 
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"The  majority  of  IT 
organizations  don't  have 
any  idea  of  the  lifecycle  of 
an  application — how  long 
they  want  it  to  last,  when  it 
needs  to  be  refurbished, 
replaced  or  disposed  of. 
Lacking  this  knowledge,  it's 
easy  for  applications  to  linger 
long  after  they  should  be 
gone,  and  for  companies  to 
spend  far  too  much  money 
maintaining  ailing 
applications." 


Nelson  recommends  that  people  metrics  be  updated  weekly, 
equipment  measurements  such  as  hardware  and  network 
uptime  be  updated  daily,  and  application  development  metrics 
be  updated  monthly. 

FitzGerald  also  warns  against  data  overload  on  the  dashboard.  “The 
brain  can  only  handle  between  five  to  seven  pieces  of  information 
at  a  time,  so  keep  it  to  that  level.  And  make  each  data  point  simple 
to  click  through  for  more  detailed  information,”  he  says. 

“The  advantage  to  PSA  solutions  is  that  they  provide  very  granu¬ 
lar  data,  which  allows  you  to  have  good  information  that  back  up 
these  measurements,”  FitzGerald  continues.  Take  the  perform¬ 
ance  parameters  out  for  a  test  drive  and  calibrate  them  accord¬ 
ingly.  “When  you’re  setting  up  standards  for  the  first  time,  you 
don’t  know  whether  you’re  measuring  the  right  things,”  he  says. 
“Plan  for  a  six-month  break-in  period  to  learn  more  about  what 
the  strategy  will  be,  and  check  back  to  make  sure  that  you’ve  got 
the  right  measurements  in  place.” 

6.  Communicate  performance  and  value 


Paul  FitzGerald,  p  find  pal  in 
Deloitte  &  Touche's  Integration, 
Development  and  Infrastructure 
practice  in  the  US. 


“Once  IT  executives  get  their  performance  measurements  in 
place,  they  need  to  share  the  value  metrics  throughout  the  com¬ 
pany.  One  of  the  first  places  this  should  happen  is  at  the  execu¬ 
tive  committee  meetings,”  says  Plewa.  “Technology  strategy 
should  absolutely  be  on  the  table  there.  Don’t  get  muddled  in 
technical  details,  but  put  together  a  presentation  executives  can 
relate  to.” 


One  way  to  build  a  well-rounded  IT  presentation  is  to  use  the 
balanced  scorecard  methodology  that  is  proving  valuable  at 


INDUSTRY  INSIGHT: 
Vicky  Eng  on  Trends  in 
Consumer  Business 

Consumer  business  industries  are  the 

biggest  spenders  among  the  separate 
industries  in  the  Deloitte  &Touche/IDG 
Research  survey  on  IT  value.  Fifty-three 
percent  report  that  their  budgets  will 
increase  this  year,  while  only  5  percent 
face  a  reduction  in  budget.  And  they 
unanimously  tout  the  value  of  IT — TOO 
percent  of  those  responding  from  the 


consumer  business  industry  say  their 
companies  consider  IT  value  either  critical 
or  very  important. 

So  how  does  this  shake  out  in  terms  of 
industry  trends?  It's  hard  to  predict,  owing 
to  the  many  different  segments  that  make 
up  the  consumer  business  industry,  says 
Vicky  Eng,  the  consumer  business  leader 
for  the  Management  Solutions  practice  at 
Deloitte  &  Touche.  But  she  does  pick  out  a 
couple  of  trends  to  watch: 

Back  to  basics.  "Two  years  ago,  the 
attention  of  the  CIO  was  diverted  by 
things  like  Y2K  and  online  retailing, "she 
says. "Today,  they  are  concentrating  on 


things  like  building  a  robust  data  com¬ 
munications  infrastructure  that  can 
move  large  volumes  of  information,  par¬ 
ticularly  in  the  retailing  segment.'The 
most  significant  spend,  she  says,  comes 
at  the  point  of  sale,  where  the  data 
touches  the  customer. 

Legacy  integration  projects. 
Instead  of  chucking  legacy  systems  in 
favor  of  ERP,  many  retailers  are  opting  to 
integrate  new  applications  with  their 
legacy  apps.'They're  using  lots  of  mid¬ 
dleware  to  integrate  business-to-busi- 
ness  applications,  as  well  as  applications 
within  their  own  organization,  instead  of 
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many  companies. 

“The  dashboard  is  the  CIO’s  view  of  the  world,  and  the  balanced 
scorecard  is  a  good  way  to  get  that  view  out  into  a  business  con¬ 
text,”  says  FitzGerald,  who  specializes  in  balanced  scorecards  for 
IT  organizations. 

If  your  company  uses  the  balanced  scorecard  already,  the  smart 
move  is  to  embed  IT  initiatives  and  indicators  within  corporate 
strategic  goals,  he  explains.  “For  example,  if  one  of  the  compa¬ 
ny’s  goals  is  to  expand  into  Europe,  and  there  is  a  technology 
component  to  that,  you  must  get  that  wrapped  under  how  that 
piece  is  shown  on  the  balanced  scorecard,”  he  says. 

If  your  company  doesn’t  use  the  scorecard  methodology,  CIOs 
can  still  use  the  dashboard  to  create  an  IT-specific  balanced 
scorecard  that  comprises  four  major  components: 


Peer 

Benchmarking 


"CIOs  need  to  look  outside 
their  walls  and  compare  the 
performance  of  their  IT 
organizations  to  those  of 
other  companies,  both  within 
their  industry  as  well  as 
category  leaders  from  other 
arenas.  It's  a  fundamental 
thing  that  everybody  should 
do,  but  nobody  does  it." 


•  financial  issues 

•  internal  business  processes 

•  customer-related  performance 

•  learning  and  growth. 

Whether  it  is  done  as  part  of  a  company-wide  program  or  as  an 
internal  IT  project,  CIOs  should  make  the  effort  to  tie  their 
scorecard  results  back  to  the  original  IT  Value  Profile. 


Dean  Nelson,  leader  of  . 


7.  Benchmark  against  peers 

“CIOs  need  to  look  outside  their  walls  and  compare  the  perform¬ 
ance  of  their  IT  organizations  to  those  of  other  companies,  both 
within  their  industry  as  well  as  category  leaders  from  other  are¬ 
nas.  It’s  a  fundamental  thing  that  everybody  should  do,  but 
nobody  does  it,”  says  Nelson. 


f 


turning  the  entire  business  process 
upside  down  with  ERR"  says  Eng. 
Forward-thinking  companies  are 
beginning  to  integrate  business  sys¬ 
tems  across  functions  to  create  a 
seamless  flow  of  information 
throughout  the  company. 

Structured  measurement 
plans  such  as  Six  Sigma.  Instead  of 
the  traditional  ROI  view  of  IT,  some 
companies  are  turning  to  theories 
such  as  Six  Sigma  to  measure  IT 
value. "I'm  seeing  organizations 
beginning  to  use  Six  Sigma  as  a  basis 
and  principle  for  going  about  initia¬ 


tives  and  evaluating  success," Eng 
says. "The  principles  aren't  common 
yet,  but  there's  a  trend." 

Eng  emphasizes  that  there  are 
plenty  of  laggards  in  the  consumer 
business  world,  but  some  companies 
are  looking  for  ways  to  integrate  and 
communicate  the  value  of  IT  beyond 
traditional  structural  lines.'There's  a 
real  need  to  look  at  IT  as  a  function 
that  needs  to  integrate  across  com¬ 
pany  lines, "she  says.  ♦ 

Vicky  Eng  may  be  reached  at 
veng@deloitte.com 


WHO  YOU  GONNA  CALL? 

When  asked  which  resources  their 
companies  will  utilize  to  try  to  understand 
and  quantify  IT  value  during  the  next  1 2 
months,  respondents  mention: 


Internal  staff 


Articles  in  technology- 
related  publications 


White  pap 
case  studic 


ersor 

les 


Industry  analysts 


|75% 

69% 


Vendor  literature, 
sales  reps, websites 

Consultants 


52% 

52% 


Academic  experts  18% 
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IMPACT  ON  PERSONAL  SUCCESS 
FROM  THE  ABILITYTO  MEASURE 
AND  DEMONSTRATE  THE  VALUE 
OF  IT  INVESTMENTS 

To  what  extent  does  your  ability  to 
measure  and  demonstrate  the  value  of 
your  company's  IT  investments  influence 
your  own  personal  success  at  work? 


About  The  Management  Solutions 
&  Services  Practice  of  Deloitte  & 
Touche: 

The  Management  Solutions  &  Services 
Practice  of  Deloitte  &  Touche  is  a  leader  in 
impact  consulting  for  innovative  growth  com¬ 
panies.  With  an  extensive  global  reach,  we 
offer  practical  strategies  and  services  that  can 
help  you  address  your  critical  issues.  Our  expe¬ 
rienced  consultants  focus  on  assisting  our 
clients  to  achieve  enterprise-wide  solutions 
that  can  be  flexible  and  provide  measurable 
results.  From  technology  strategy  and  applica¬ 
tion  to  integrated  cost  reduction,  we  can  help 
you  achieve  end-to-end  solutions  appropriate 
to  your  size  and  market.  Solutions'  distinctive 
combination  of  industry  specialization  with 
multidisciplinary  and  technological  knowl¬ 
edge  is  aimed  at  helping  you  enhance  your 
operating  efficiency  and  improve  your  finan¬ 
cial  performance.  For  more  information,  please 
visit  us  at  www.deloitte.com/us/mss. 
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That’s  unfortunate,  because  peer-to-peer  benchmarking  provides 
valuable  insights  for  CIOs  in  terms  of  gathering  performance 
comparisons.  Nelson  recommends  that  IS  executives  try  to  gather 
information  across  a  wide  range  of  topics.  While  spending  is 
always  the  measure  that  most  companies  primarily  compare,  he 
also  suggests  applying  balanced  scorecard  variables  to  the  process. 

He  suggests  researching  topics  such  as  utilization  of  staff,  how 
organizations  satisfy  their  internal  and  external  client  needs,  and 
whether  or  not  they  manage  IT  as  a  series  of  portfolios.  This  will 
give  CIOs  the  depth  of  information  necessary  to  truly  track  and 
compare  performance,  and  implement  new  best  practices. 

Implementing  such  a  program  doesn’t  have  to  be  an  enormous 
undertaking.  In  the  current  environment  of  reduced  discre¬ 
tionary  spending,  it  is  wise  to  start  small.  Check  out  the  research 
from  industry  associations.  Subscribe  to  magazines  like  CIO,  or 
join  their  online  peer  communities. 

Some  action  is  better  than  none.  “It  doesn’t  have  to  be  a  formal 
process,”  Nelson  says.  “But  it  does  have  to  take  up  more  of  a 
CIO’s  time  than  it  does  now.”  And  don’t  make  your  bench- 
marked  performances  your  new  god.  “Use  the  information  to 
validate  the  target,  not  be  the  target,”  advises  FitzGerald.  “All 
you're  trying  to  do  is  make  sure  that  the  calibration  is  correct. 
Don’t  assume  that  the  benchmark  is  the  metric.  It’s  there  to 
help  you  fme-tune  your  performance  against  your  target.  All  it 
does  is  let  you  know  whether  you’re  in  the  ballpark.” 

There  is  general  agreement  that  CIOs  will  face  difficult  condi¬ 
tions  for  some  time  to  come.  FitzGerald  doesn’t  mince  words. 
“It’s  a  rough  road  ahead,  but  CIOs  are  stuck,  and  this  is  the  only 
way  they  can  start  to  pull  themselves  out,”  he  says.  “Cost  metrics 
are  not  going  to  go  away,  but  the  more  value  metrics  you  can 
use,  the  better  off  your  organization  will  be.” 

Putting  in  the  time  and  effort  will  pay  off,  Deloitte  &  Touche 
executives  believe.  Imagine  progressing  steadily  away  from  the 
commodity  cost  center  to  a  vibrant  organization  that  truly  func¬ 
tions  as  a  business  partner  and  drives  new  profit  opportunities 
with  technology  initiatives  that  truly  create  value  for  the  busi¬ 
ness.  There  will  be  no  question  of  an  available  seat  at  the  strate¬ 
gy  table  for  the  CIO.  The  seat  will  have  been  earned.  ■ 

The  Advisors 

The  key  Deloitte  &  Touche  thought-leaders  who  contributed 
insight  and  analysis  to  this  report  can  be  reached  at: 

Dean  Nelson:  deanelson@deloitte.com 
Paul  FitzGerald:  pafitzgerald@deloitte.com 
JeffPlewa:  jplewa@deloitte.com 
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CIO  ENTERPRISE 
VALUE  AWARDS' 


The  Resource  for 
Information  Executives 


As  an  executive  who  has  built  or  utilized  an  IT  system  that 
delivers  both  demonstrable  ROI  and  strategic  value  to  your 
organization,  you  deserve  recognition  and  praise. 

Now  in  its  12th  year,  the  CIO  Enterprise  Value  Award  will 
bring  you,  your  company  and  your  IT  organization  the 
industry  prestige  you  deserve. 


Download  the  application 
from  our  website  at 
www.cio.com/eva 
or  contact  Lynne  Rigolini 
at  (508)  935-4088. 

Deadline  for  entry: 

May  15,2003 
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GAO:  Wall  Street  Vulnerable 


LAST  AUGUST,  the  three  institutions  that 
stand  guard  over  the  nation’s  financial 
health — the  Fed,  the  Office  of  the  Comp¬ 
troller  of  the  Currency  and  the  SEC — sug¬ 
gested  steps  to  fortify  the  U.S  financial  system 
against  disasters  such  as  the  Sept.  1 1  attacks. 

One  idea,  which  proposes  that  Wall  Street 
companies  locate  their  main  and  backup 
data  centers  some  distance  apart — say  200  to 
300  miles — was  dismissed  as  an  economic 
boondoggle.  With  current  technology,  put¬ 
ting  data  centers  more  than  60  miles  apart 
creates  latency  problems.  In  comments  sub¬ 
mitted  to  the  SEC,  SunGard  Data  Systems 
said  90  percent  of  companies  affected  would 
have  to  replace  their  IT  infrastructures.  Sen. 
Charles  Schumer  (D-N.Y.),  a  member  of  the 
Senate  Banking,  Housing  and  Urban  Affairs 
Committee,  subsequently  pronounced  the 


proposal  dead.  Yet  a  recent  report  by  the 
General  Accounting  Office  makes  a  case  that 
the  economic  devastation  any  future  disaster 
could  cause — whether  it’s  a  terrorist  attack  or 
a  hurricane — warrants  the  expense. 

The  GAO  report  reviewed  the  business 
continuity  plans  of  15  major  trading  or 
financial  clearinghouse  organizations.  Inves¬ 
tigators  found  that  despite  some  improve¬ 
ments,  most  companies  were  still  at  risk  of 
being  wiped  out  in  a  disaster.  Nine  of  them 
couldn’t  ensure  that  they  could  function  if 
the  staff  at  their  primary  data  center  was 
incapacitated.  Ten  either  have  their  backup 
facilities  within  10  miles  of  their  main  data 
sites  or  they  have  no  backup  facilities  at  all. 

The  report  also  questions  the  SEC’s  abil¬ 
ity  to  enforce  better  security.  Compliance 
with  minimum  data  security  and  business 


continuity  requirements  established  by  the 
SEC’s  underfunded  Automation  Review 
Policy  (ARP)  program  is  voluntary.  The 
GAO  concludes  that  procedures  such  as 
the  ones  outlined  by  the  Fed  and  others 
should  become  requirements. 

Putting  more  distance  between  data  cen¬ 
ters  would  be  a  key  element  of  any  regula¬ 
tory  scheme  (and  would  presumably  energize 
vendors  to  address  technical  obstacles).  Sarah 
Diamond,  a  senior  vice  president  with  Bear- 
ingPoint  (formerly  KPMG  Consulting),  says 
companies  are  warming  to  the  idea,  particu¬ 
larly  if  they  could  be  allowed  to  outsource 
the  backup  data  centers  offshore.  The  SEC 
hints  it  might  use  some  of  the  money  author¬ 
ized  under  the  Sarbanes-Oxley  Act  to  give 
the  ARP  some  muscle.  But  unless  the  sub¬ 
ject  gets  more  than  lip  service,  it  may  take 
another  disaster  before  the  financial  services 
industry  is  willing  to  swallow  its  medicine. 

-Ben  Worth en 


FCC  Rule  Could  Increase  Broadband  and  Telephone  Bills 


COMPANIES  RELYING  ON  DSL  lines  for  broadband  service  may 
see  prices  increase  during  the  next  three  years  after  a  February 
Federal  Communications  Commission  vote  governing  local  phone 
and  broadband  network  service.  In  addition,  CIOs  doing  business 
with  several  phone  companies  nationwide  could  see  the  price  of 


wanted  fewer  pricing  regulations  and  nationwide  rules,  threatened 
to  take  the  FCC  to  court;  the  issue  has  already  landed  there  twice 
since  the  Telecommunications  Act  of  1996  established  the  network¬ 
sharing  plan.  That  means  the  final  results  are  still  up  in  the  air. 

When  all  is  said  and  done,  most  large  businesses  probably 

won’t  see  changes  in  their  local  phone  service 
because  Bell  competitors  serving  the  large- 
business  market,  such  as  AT&T,  already  own 
their  own  network  facilities.  The  same  is  true  for 
companies  that  use  either  the  Bells  or  their 
national  competitors,  such  as  Covad  Communi¬ 
cations,  for  broadband  access.  But  companies 
served  by  smaller,  regional  DSL  providers 
without  their  own  facilities  may  have  more 
difficulty  putting  together  national  contracts. 
And  they  could  see  significant  price  increases, 
says  Darrell  McKigney,  president  of  the  Small 
Business  Survival  Committee.  “This  ruling  is 
certainly  a  threat  to  competition  for  small 
businesses,”  he  adds.  -Grant  Gross 


local  service  rise,  all  because  the  regional 
Bells  would  no  longer  be  required  to  share 
their  lines  at  a  discount  with  competitors. 

The  FCC’s  vote,  required  under  a  May 
2002  court  order  that  threw  out  old  FCC  rules 
that  were  too  restrictive,  decided  how  much 
of  the  local  telephone  and  broadband  net¬ 
works  owned  by  the  regional  Bells,  such  as 
Verizon  Communications  and  SBC  Commu¬ 
nications,  must  be  shared  with  competitors 
at  a  discount.  The  vote  gave  most  of  the 
responsibility  for  deciding  the  rates— at  least 
for  local,  small  business  and  residential 
phone  service— to  the  states. 

Within  days,  the  regional  Bells,  which 
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HP  recommends  Microsoft®  Windows®  XP  Professional  for  Business 


How  do  we  know 
so  much  about 
the  software 
you're  running? 
Well,  we  practically 
designed  the 
hardware  around  it, 
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hp  workstation  xw4000 

Powered  by  the  mighty  Intel ® 
Pentium'  4  processor,  hp  workstations 
have  withstood  rigorous  testing 
and  development  by  the  time 
they  make  it  to  your  desk. 
Starting  at  $799* 
Call  1-800-888-2329, 
click  www.hp.com/go/mcadl 
or  visit  your  local  reseller. 
*M.S.R.P.  Monitor  sold  separately. 


HP  has  a  close  working  relationship  with  Autodesk;  the  makers  of  AutoCAD 
software.  In  fact,  several  HP  engineers  are  wholly  dedicated  to  tweaking 
hardware  and  tuning  drivers  to  get  the  most  out  of  CAD  software.  Which 
means  your  work  probably  won't  be  held  up  by  a  glitch,  as  we're  likely  to 
have  found  it  long  ago — and  made  sure  it  would  never  mess  with  your  work. 
That's  what  clients  are  for. 


invent 


make  recycling  part  of  the  deal  up  front,” 
rather  than  worrying  about  recycling  when 
computers  get  old. 

Certain  hardware  vendors  offer  recycling 
services,  but  they  come  with  a  cost.  Moni¬ 
tor  maker  NEC-Mitsubishi  Electronics  Dis¬ 
play  recently  launched  a  recycling  service 
called  Total  Trade.  The  service  was  started, 
says  Vice  President  of  Marketing  A1  Giaz- 
zon,  because  “a  lot  of  our  customers  are 
concerned  with  the  disposal  of  monitors, 
and  they  are  unsure  how  to  do  it.”  NEC- 
Mitsubishi  handles  all  the  administrative 
paperwork,  physical  pickup,  disposal  and 
recordkeeping.  The  cost  of  recycling  aver¬ 
ages  $25  per  unit  based  on  high  volumes, 
he  says. 

As  part  of  its  Global  Asset  Recovery  Ser¬ 
vices,  IBM  Global  Financing  has  several 
options  for  hauling  away  old  equipment, 
including  revenue-sharing  based  on  equip¬ 
ment  resale  (which  operates  like  a  con¬ 
signment  sale),  removing  old  equipment  for 
a  fixed  price,  and  a  no-cost  disposal  option. 
With  the  latter  two  options,  any  nonmar- 
ketable  assets  are  disposed  of  and  recycled. 
The  equipment’s  owners  are  indemnified 
from  any  future  disposal  issues. 

-Megan  Santosus 
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TECHNOLOGY  RECYCLING 

Rising  Costs  of 


High-Tech  Garbage 


DISPOSING  OF  OLD  COMPUTERS  isn’t  as 
simple  as  putting  them  out  with  the  rest  of 
the  corporate  trash.  Many  computer  com¬ 
ponents  contain  hazardous  materials  such 
as  cadmium,  lead  and  mercury.  And  with 
this  year’s  Earth  Day  celebration  scheduled 
for  April  23,  it’s  worth  noting  that  the 


obuurces 

In  addition  to  each  state’s  department  of  environ¬ 
mental  protection,  there  are  several  online  data¬ 
bases  that  list  local  and  regional  recyclers,  as  well 
as  programs  for  educational  donations 

NATIONAL  RECYCLING  COALITION 
www.nrc-recycle.org 

A  nonprofit  organization  that  provides  technical 
education,  spreads  information  on  recycling  issues, 
helps  shape  recycling  policy  and  encourages 
recycling  markets. 

ELECTRONICS  RECYCLING 
www.electronicsrecycling.org 

Provides  information  on  collection,  demanufactur¬ 
ing,  and  refurbishment  and  resale  for  electronics 
recycling.  It  also  lists  ideas  for  households  and 
organizations  to  promote  recycling  and  reuse. 

THE  COMPUTER  RECYCLING  CENTER 
www.crc.org 

Promotes  the  reuse  of  computer  and  electronics 
equipment,  and  the  recycling  of  unusable  elements. 

SHARE  THE  TECHNOLOGY 
www.sharetechnology.org 

Connects  potential  donors  and  recipients,  providing 
state-by-state  listings  of  those  looking  for  or  looking 
to  discard  technology. 


RECYCLER'S  WORLD 
\  www.recycle.net/recycle/computer 

Lists  several  categories  of  technology  recycling, 
including  computers,  printer  cartridges  and 
telephone  equipment,  with  links  to  companies, 
associations  and  publications  related  to  each 
specific  category. 


problem  is  only  get¬ 
ting  worse:  The  Envi¬ 
ronmental  Protection 
Agency  estimates  that 
250  million  computers 
will  be  retired  during 
the  next  five  years. 

Companies  must  com¬ 
ply  with  hazardous  waste  reg¬ 
ulations  when  they  get  rid  of  old 
PCs  and  CRT  monitors.  (Accord¬ 
ing  to  the  EPA,  CRTs  are  prone 
to  flunking  the  government’s  haz¬ 
ardous  waste  toxicity  leaching 
standards.) 

For  larger  companies,  sending  old 
PCs  off  to  a  hazardous  waste  facility  can 
become  a  legal  nightmare.  Improper  disposal 
resulting  from  carelessness,  ignorance  or  hir¬ 
ing  a  disreputable  recycler  raises  the  specter 
of  future  liability.  One  option  is  to  hire  an 
export  broker  that  sends  the  materials 
abroad.  But  once  on  foreign  shores,  who 
knows  whether  the  equipment  is  disposed 
of  in  an  environmentally  friendly  manner? 

To  minimize  environmental  impact  and 
legal  liability,  the  best  bet  for  companies  is 
to  find  a  reputable  recycler  that  reduces 
computers  down  to  their  component  com¬ 
modities  with  as  little  residual  waste  as  pos¬ 
sible.  Unfortunately,  finding  a  good  recycler 
requires  some  legwork  because  the  recycling 
industry  is  still  fragmented.  To  find  a  rep¬ 
utable  recycler,  the  EPA  recommends  con¬ 
tacting  the  hazardous  waste  experts  at  your 
state’s  department  of  environmental  pro¬ 
tection  (see  “Recycling  Resources”  at  left). 

Clare  Lindsay,  a  project  director  at  the 
EPA’s  office  of  solid  waste,  would  like  to 
see  CIOs  become  much  more  proactive  by 
encouraging  vendors  to  offer  comprehen¬ 
sive  recycling  programs. 

“When  [CIOs]  buy  computers,  they 
should  be  raising  the  recycling  issue  with 
their  vendors,”  Lindsay  says.  “They  should 
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Thinner 
Designs 

Power  efficiency 
allows  for  smaller 
cooling  systems 
and  lighter 
notebooks. 


Longer 
Battery  Life: 

Power-conserving 
technology 
enables  extended 
battery  life. 


Performance: 

Extremely 
responsive  to  the 
most  demanding 
business 
applications 


intel.com 


Introducing  Intel®  Centrino™  mobile  technology. 
The  new  generation  of  laptop  technology 
engineered  to  unwire  your  business. 


jjv  Until  now,  the  promise  of 

a  truly  wireless  workforce 

* mmmmr r  has  been  just  that:  a 
ipK|LE  promise.  Intel®  Centrino™ 
technology  mobile  technology  delivers 

on  that  promise  with  unprecedented 
levels  of  mobility  for  your  users 
and  an  easier  deployment  for  you. 
Intel  is  working  with  other 
industry  leaders  to  make 
wireless  networking  not  only 
reliable,  but  secure.  Intel  Centrino 
mobile  technology  is  compatible  and 
validated  with  Cisco  enterprise 
access  points.  And  Intel  continues 
to  work  closely  with  VeriSign, 
Check  Point  Software  and 
other  leading  technology  companies 
to  optimize  security  solutions. 

The  unwired  office  starts  inside. 


@  intel. 


©2003  Intel  Corporation.  Intel.  Intel  Inside  and  the  Intel  Centrino  logo  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries 
Other  names  and  brands  may  be  claimed  as  the  property  ot  others.  All  rights  reserved.  See  http://www.intel.com/products/centrino/more.Jnfo  for  more  information. 


Christopher  Hoenig  I  Total  Leadership 


Hidden 

Assets 

Strategies  for  managing  your  intangible 

leadership  “capital” 

WHETHER  YOU  KNOW  it  or  not,  your  “leadership  capital”  is  always 
at  stake,  always  in  flux  and  always  a  key  factor  in  determin¬ 
ing  your  success  in  any  endeavor.  Leadership  capital  can  be 
formed  or  drained,  managed  or  mismanaged,  and  can  have  a 
high  or  a  low  yield. 

In  most  discussions  on  leadership,  the  emphasis  is  on  sexy 
issues  such  as  vision,  goals,  strategy  and  decision  making. 
There  is  far  too  little  talk  about  leadership  capital,  which  I 
define  as  an  executive’s  resources  available  to  fuel  his 
agenda.  A  lack  of  leadership  capital  awareness  can  lead  to 
dangerous  misconceptions  among  many  aspiring  leaders — for 
capital  is  not  merely  a  constraint  or  an  enabler,  it  is  a  central 
force  in  leadership. 

I  wish  I  had  learned  that  lesson  earlier  in  my  own  career. 
Hearing  people  speak  of  “political  capital”  got  me  thinking 
about  the  hidden  threads  that  form  the  fabric  of  great  leader¬ 
ship.  Having  seen  the  dynamics  of  leadership  capital  in  small- 
scale  entrepreneurial  operations,  at  a  moderate  scale  in  major 
corporations  and  at  a  large  scale  in  the  federal  government,  I 
have  learned  a  set  of  essential  principles  governing  capital.  I 


hope  they’ll  help  you  and  perhaps  inspire  you  to  share  some  of 
your  own  lessons. 

Capital  is  indivisible.  Your  capital  is  made  up  of  all  the  polit¬ 
ical,  personal,  intellectual,  physical  and  monetary  assets  you 
can  bring  to  bear  in  meeting  challenges.  These  are  all  interre¬ 
lated.  A  big  budget  enhances  authority.  Reputation  qualifies 
personal  wealth.  As  a  result,  leaders  need  to  manage  their  total 
capital. 

The  most  clearheaded  leaders  I’ve  known — my  best  recruits, 
most  valuable  allies,  greatest  mentors  and  most  dangerous 
adversaries — have  always  viewed  capital  in  its  totality.  I’ve  also 
observed  leaders  that  compartmentalize  it.  For  instance,  they 
rely  on  authority,  budget  power  and  position,  while  neglecting 
trust,  respect  and  goodwill.  That  approach  limits  what  they 
can  accomplish. 

Soft  capital  drives  hard  capital.  Soft  capital — people, 
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Scott  Bryan,  Sales  Engineering  Manager 
John  Cataldo,  Sales  Director 

Qwest  Communications 


CAPTIVATE  WORKS 
WITH  QWEST.® 

Top-of-the-line  technology  can  get 
you  in  the  door,  but  it’s  the  people 
behind  the  technology  that  truly 
make  the  difference.  That’s  what  we 
believe.  That’s  what  we  practice. 
And  that’s  why  Captivate  Network 
looked  to  us  for  the  right  solution. 
We  listened  to  them,  anticipated 
their  needs  and  delivered  a  Private 
Routed  Network  to  bring  news  and 
advertising  to  their  7000+  flat-panel 
televisions  in  office-tower  elevators 
across  North  America.  Every  day  we 
deliver  the  security  and  performance 
necessary  for  an  application  of  this 
magnitude.  We  are  passionate 
about  service.  And  we've  built  a 
real  relationship  with  Captivate. 

One  that  doesn’t  simply  end  with 
the  sale.  That’s  what  sets  us  apart. 
That’s  the  Spirit  of  Service.” 


To  find  out  how  we  can  put  the  Spirit  of  Service  to  work  for  you, 

visit  us  at  qwest.com/bizspirit  or  call  us  at  1  800-506-0663. 

Service  not  available  in  all  areas.  Captivate  and  Captivate  Network  are  registered  trademarks  of  Captivate  Network,  Inc, 
©2003  Qwest  Communications  International  Inc. 


Christopher  Hoenig  I  Total  Leadership 


relationships,  ideas,  information  and  reputation — determines 
the  allocation  and  value  of  hard  capital,  such  as  money  and 
physical  assets.  The  best  hard  assets  in  the  world  can  be  rapidly 
destroyed  in  the  hands  of  a  corrupt  leader  or  at  the  mercy  of 
fluctuating  demand.  One  of  my  mentors  used  to  call  the  ele¬ 
ments  of  soft  capital  “the  four  Cs”:  character,  competence,  con¬ 
tacts  and  creativity. 

The  reason  Tylenol  remains  a  byword  for  crisis  manage¬ 
ment  is  that  the  manufacturer’s  leadership  recognized  from 


One  of  my  mentors  used  to  call  the  elements  of 
soft  capital  “the  four  Cs”:  character,  competence, 
contacts  and  creativity. 


the  outset  that  the  risks  to  the  company’s  soft  capital  would 
affect  its  hard  capital  for  many  years  to  come.  During  poi¬ 
soning  scares  in  1982  and  1986,  Johnson  &  Johnson  quickly 
recalled  Tylenol  products  from  stores.  Because  of  this  widely 
lauded  response,  the  short-term  costs  of  the  crises,  though 
high,  were  temporary. 

Capital  isn't  always  transferable.  The  value  of  your  lead¬ 
ership  capital  varies  according  to  where  you  work,  where  you 
are  and  who  you  work  with.  Track  records  in  one  industry 
might  not  transfer  to  another.  Outstanding  accomplishments 
in  one  organization  may  be  below  average  in  a  world-class 
enterprise.  Budgetary  authority  and  company  reputations  mean 
different  things  in  different  countries. 

Perhaps  the  best  thing  you  can  do  is  gain  a  sense  of  what 
forms  of  capital  are  genuinely  transferable  in  your  situation. 
These  vary  from  great  accomplishments  and  brand-name 
employers  to  prestigious  awards  and  exclusive  memberships. 
The  best  career  advice  I  ever  got  was  to  look  for  intersections 
between  my  passions  and  opportunities  that  would  expand  my 
future  options. 

Markets  make  capital  grow.  Part  of  the  miracle  of  financial 
markets  is  that  they  provide  a  means  of  increasing  stocks  of 
capital.  Although  leadership  markets  in  and  among  organiza¬ 
tions  are  informal  and  invisible,  they  too  can  make  capital 
grow.  They  are  driven  by  word  of  mouth  and  track  records, 
and  mediated  by  headhunters  and  board  members. 

The  better  you  are  at  creating  markets  for  leadership,  the 
more  capital  you  and  your  organization  will  have  at  your  dis¬ 
posal.  I  once  counseled  a  client  on  building  a  leadership  devel¬ 
opment  system,  which  involved  all  the  existing  leaders  of  the 
organization  in  choosing,  nurturing  and  managing  future  lead¬ 
ers.  By  creating  a  market  for  leadership,  these  leaders  were  also 


refreshing  their  own  leadership  capital  base. 

The  best  capital  is  scarce  and  sensitive.  Cash  under  the 
mattress  and  T-bills  are  safe  forms  of  financial  capital,  but 
they  are  not  premium  capital.  For  leaders,  a  world-class  rep¬ 
utation,  brilliant  personnel,  revolutionary  inventions  and 
strategic  alliances  are  premium  capital  with  extremely  high 
value.  That  type  of  leadership  capital  can  bestow  an  extraor¬ 
dinary  advantage.  It  can  be  leveraged  to  accomplish  your  goals 
and  attract  other  forms  of  capital — such  as  a  big  budget  and 

a  great  staff.  But  by  its  very  nature,  pre¬ 
mium  capital  is  hard  to  build  and  often 
very  easy  to  destroy.  One  scandal  tar¬ 
nishes  a  career.  A  competitor  poaches 
the  high-flyers  on  your  staff.  Innovation 
renders  a  key  patent  obsolete.  One  flaw 
turns  an  alliance  into  a  trap. 

Wise  leaders  look  for  ways  to  build 
premium  leadership  capital  but  not 
depend  on  it  too  much,  so  that  they  can  use  it  to  their  benefit 
but  limit  the  risks.  My  basic  rule  is  if  your  premium  capital  is 
highly  leveraged  and  relied  upon  for  more  than  a  few  weeks  or 
months,  then  you’re  in  a  danger  zone. 

Capital  can  be  overspent.  Financial  investors  manage  their 
portfolios  for  a  high  yield.  Managing  your  leadership  capital  is 
also  about  yield — getting  the  greatest  result  for  the  least  possi¬ 
ble  investment.  With  leadership  capital,  yield  comes  in  many 
forms:  increased  options,  better  outcomes  or  improved  strategic 
positioning.  But  if  you  always  strive  to  maximize  yield — by,  say, 
leaning  too  heavily  on  your  relationships  with  other  execu¬ 
tives — you  risk  spending  down  your  leadership  capital.  A  better 
approach  is  to  pick  your  spots,  applying  your  capital  only  when 
it  can  make  a  difference  for  your  position  or  your  company. 

In  summary,  be  aware  of  your  leadership  capital,  or  it  will 
limit  you.  Manage  it  poorly  and  you’ll  find  yourself  constrained 
and  unable  to  control  risks,  which  will  lead  to  suboptimal  out¬ 
comes  and  will  decrease  your  capital  stock.  Manage  your  lead¬ 
ership  capital  well  and  you’ll  find  yourself  able  to  reach  for 
higher  goals  and  manage  risks  with  an  increased  probability  of 
success — which  will  increase  your  capital.  So  take  stock  of  your 
own  leadership  capital  and  how  you’re  managing  it.  Changing 
the  way  you  think  about  capital  is  one  more  way  to  bring  your 
leadership  to  a  new  level.  HE] 

What  are  your  thoughts  on  leadership  capital?  Write  us  at  leadership 
@cio.com.  Christopher  Hoenig  is  a  director  of  strate¬ 
gic  issues  for  the  General  Accounting  Office  and  has 
been  an  entrepreneur  (CEO  of  Exolve),  consultant 
(McKinsey  &  Co.)  and  inventor;  he  is  the  author  of  The 
Problem  Solving  Journey:  Your  Guide  to  Making  Deci¬ 
sions  and  Getting  Results. 
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storage  software  company. 


VERITAS  Software  lowers  your  storage  costs  regardless  of 
the  hardware,  EMC.  Hitachi.  HP.  IBM.  Sun.  What’s  your  agenda? 

veritas.com 

V  E  R I T  A  S' 


Copyright  ©  2003  VERITAS  Software  Corporation.  All  rights  reserved.  VERITAS,  the  VERITAS  Logo  and  all  other  VERITAS  product  names  and  slogans  are  trademarks  or  registered 
trademarks  of  VERITAS  Software  Corporation.  VERITAS  and  the  VERITAS  Logo  Reg.  L'.S.  Pat.  &  Tm.  Off.  All  other  trademarks  are  the  property  of  their  respective  owners. 
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It’s  All  About  the  Execution 


What  Price 
Security? 

It’s  up  to  the  company,  not  the  CIO,  to  decide 

how  much  trust  is  too  much 

I  COMMITTED  A  CRIME  in  order  to  write  this  column.  I  stole  Kevin 
Mitnick’s  book.  You  know  Kevin  Mitnick.  He’s  the  famously 
felonious  weasel  who  lies,  cheats  and  steals  his  way  into  other 
people’s  computer  systems.  He’s  a  hero  to  hackerdom.  But 
rather  than  contribute  to  his  royalties  or  sales,  I  used  his  sug¬ 
gested  techniques  of  “social  engineering”  to  filch  a  copy  from 
his  publisher.  It  felt  good.  Thanks,  Kevin. 

In  fact,  reading  Mitnick’s  book  was  a  powerful  experience. 
Not  because  the  book  was  well-written — although  it’s  not  bad — 
but  because  it  tells  story  after  painful  story  of  people  who  got 
digitally  screwed  because  they  trusted  jerks  such  as  him.  They 
tried  to  be  helpful;  they  tried  to  be  responsive;  they  tried  to  be 
kind.  That  was  their  fatal  mistake.  When  a  Kevin  “Klone”  pre¬ 
tends  to  be  from  a  help  desk,  you  know  who’s  really  getting 
helped.  The  essential  Mitnick  message  is  that  “trust”  creates 
vulnerability.  Trust  is  the  gift  that  makes  Mitnicks  possible. 

That’s  what  makes  implementing  network  security  so  hard. 
It  isn’t  that  people  are  always  the  weakest  link,  or  that  the  code 
has  more  holes  than  Swiss  cheese,  or  even  that  Russian  mob¬ 
sters  now  have  the  resources  and  incentive  to  crack  any  system 


they  choose.  It’s  that  effective  network  security  means  building 
systems  that  tell  people  they  can’t  be  trusted. 

Most  reasonable  people — your  customers,  your  employees 
and  your  suppliers — resent  being  treated  as  untrustworthy.  The 
natural  human  tendency  is  to  resist  initiatives  that  presume  we 
are  potential  liars,  cheats  and  thieves.  Yes,  we’ll  tolerate  mem¬ 
orizing  a  password  or  two,  but  how  many  hoops  do  you  seri¬ 
ously  want  us  to  jump  through?  You’re  kidding,  right? 

Computer  security  is  doomed  to  become  even  more  cum¬ 
bersome  and  costly.  Why?  Because  the  more  dependent 
organizations  become  on  their  networks,  the  less  trusting 
they  can  afford  to  be.  That’s  the  Net-centric  enterprise  secu¬ 
rity  paradox:  The  more  access  I  need  to  be  more  effective,  the 
more  effectively  I  need  to  be  monitored.  The  more  network 
access  we  give  to  our  customers,  suppliers  and  ourselves,  the 
more  network  protection  we  all  need.  Everyone  becomes 
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IT’S  TIME  FOR  EXPENSIVE 

TO  GET  REACQUAINTEO  WITH  VALUABLE. 


Mercury  Interactive  can  transform  your  IT  systems  from  an  expense  into  a  valuable  asset. 


Your  company’s  software  applications  and  IT  infrastructure  are  a  huge  investment.  And  now  there’s  a  way  to  get 
more  value  out  of  your  existing  information  technology.  It’s  called  Business  Technology  Optimization  (BTO).  It’s  the 
way  to  maximize  the  quality  of  your  IT-enabled  business  processes,  minimize  IT  expenditures,  and  increase  the 
return  on  your  existing  IT  systems.  Mercury  Interactive’s  Optane™  is  the  world’s  first  BTO  software  suite.  Optane 
enables  you  to  optimize  the  entire  technology  lifecycle  —  including  testing,  production  tuning  and  performance 
management.  Mercury  Interactive  is  one  of  the  top  software  companies  in  the 
world  and  75%  of  the  Fortune  500  already  use  our  software.  To  optimize  your 
business  technology,  visit  www.mercuryinteractive.com/bto6 
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more  vulnerable  to  being  Mimicked  or  SQL  Slammed. 

This  is  where  CIOs  get  screwed.  Unlike  virtually  every  other 
facet  of  network  economics,  computer  security  doesn’t  enjoy 
economies  of  scale.  Security  inflicts  diseconomies  of  scale.  Giv¬ 
ing  more  people  more  passwords  hardly  represents  an  “econ¬ 
omy  of  scale.”  To  the  contrary.  It  represents  new  complexity 
that  has  to  be  managed,  tracked  and  audited.  That’s  both  com¬ 
putationally  and  organizationally  expensive. 

Network  security  costs  disproportionately  accelerate  as  orga¬ 
nizational  Net-centricity  increases.  I’ve  personally  witnessed 
recognition  of  how  this  reality  infuriates  top  management.  By 
the  time  one  bank  calculated  the  costs  of  making  certain  data- 


It  isn’t  up  to  IT  to  define  what  “trust”  means 
or  what  it’s  financially  worth.  That’s  the  job 
of  the  entire  organization. 


bases  available  to  both  customers  and  loan  officers,  the  pro¬ 
posal’s  ROI  was  ruined.  Security  killed  its  CRM.  Executives 
spoiled  by  favorable  network  economics  believe  their  security 
spend  should,  at  worst,  be  a  relatively  fixed  percentage  of  the 
network  budget.  Never  happens. 

Security  costs  almost  always  spike  and  surge  beyond  expec¬ 
tations.  The  underlying  dynamic  is  inescapable.  When  more 
people  have  more  real-time  access  to  more  data  of  ever  more 
value,  the  risks  associated  with  security  breaches  exponentially 
increase. 

Those  problems  can’t  be  solved.  They  can  only  be  managed. 
Most  companies  manage  them  by  telling  the  CIOs  that  they’re  in 
charge  of  network  security.  Thanks  a  lot. 

The  serious  question  is,  how  should  CIOs  manage  these 
excruciating  trade-offs  between  network  economies  of  scale 
and  network  security’s  diseconomies  of  scale?  My  answer  is 
that  CIOs  should  tell  their  operating  committees  and  their 
boards  that  it  isn’t  up  to  IT  to  define  what  “trust”  means  or 
what  it’s  financially  worth. 

It’s  Not  Your  Job 

Simply  put,  CIOs  should  never,  ever  be  put  in  charge  of  their 
organizations’  computer  security  policies.  CIOs  are  in  the  worst 
position  to  evaluate  security  trade-offs  precisely  because  they 
know  better  than  anyone  else  the  technical  trade-offs  between 
making  their  networks  more  cost-effective  and  making  them 
more  secure.  They’re  inherently  biased  to  technical  solutions 
because  that  reflects  both  their  budgets  and  their  expertise. 
But  because  security  almost  always  becomes  a  people  issue, 
most  CIOs  have  neither  the  organizational  standing  nor 


the  interpersonal  skills  to  assure  enterprisewide  compliance. 

Put  it  another  way:  Unless  CIOs  and  IT  have  the  explicit 
power  to  fine  or  fire  any  employees  who  violate  security,  they 
shouldn’t  be  made  responsible  for  security.  Fortunately,  CIOs 
have  a  more  important  role  to  play  in  security  policy  debates. 

While  CIOs  shouldn’t  say  how  much  trust  is  worth,  they  have 
every  obligation  to  insist  that  legal  and  finance  do.  CIOs  need  to 
push  and  challenge  marketing  about  just  how  much  customer 
inconvenience  for  “improved”  security  is  too  much.  The  CIO’s 
goal  must  be  to  get  the  organization  to  align  its  investments  in 
network  security  to  reflea  perceived  risk.  The  entire  enterprise, 
not  just  IT,  then  has  to  decide  how  to  manage  that  risk. 

Security  for  the  sake  of  security  is  inherently  wasteful. 
It’s  bad  business.  More  dangerously,  it  breeds  contempt 
from  those  who  hate  complying  with  inefficient  and  inef¬ 
fective  security  protocols.  The  best  counter  is  for  IT  to  insist 
people  put  in  writing  scenarios  of  what  they  want  their  secu¬ 
rity  interactions  to  look  like  in  18  to  24  months.  Security  is 
a  process  to  be  managed  rather  than  a  goal  that’s  achieved. 
Thus,  people  must  be  pushed  to  decide  how  far  they  want 
to  go  in  enforcing  trust.  The  notion  that  computer  security  is  what¬ 
ever  IT  says  it  is  is  the  abdication  of  professional  responsibility. 

Should  individuals,  teams  or  departments  be  encouraged  to 
design  their  own  computer  security  regimes?  How  should 
employee  breaches  of  security  protocols  be  disciplined?  Does 
the  organization  have  the  right — indeed,  the  obligation — to 
stress-test  its  security  systems  by  trying  to  trick  its  employees 
into  breaking  the  rules?  In  other  words,  should  an  organization 
Mitnick  itself  as  a  way  to  immunize  itself  against  the  real  Mit- 
nicks?  The  harsh  fact  is  that  security  systems  work  only  if  you 
institutionalize  a  certain  degree  of  distrust. 

But  how  much  distrust  is  too  much?  When  does  the  cost  of  dis¬ 
trust  outweigh  its  business  benefits?  CIOs  have  no  way  to  know 
the  answer  to  those  questions.  They  do,  however,  have  every 
opportunity  and  obligation  to  collaborate  with  every  function 
and  department  to  find  out.  Savvy  CIOs  will  insist  their  organi¬ 
zational  partners  demonstrate  how  well  they  can  enforce  the  secu¬ 
rity  protocols  they  deem  so  vital.  IT’s  job  should  be  to  help  them 
do  that,  not  do  it  for  them.  CIOs  aren’t  members  of  the  CIA. 

Yes,  CIOs  need  to  be  abreast  of  the  tools,  technologies  and 
techniques  like  honeypots  and  PKI  to  assure  an  appropriate  port¬ 
folio  of  security  options.  In  the  final  analysis,  however;  organi¬ 
zations  determine  what’s  worth  protecting  and  what’s  not.  The 
organization  must  declare  what  levels  of  trust  and  openness  are 
dangerously  inappropriate.  It’s  up  to  CIOs  to 
make  organizations  cognizant  of  that.  BE] 

Michael  Schrage  is  codirector  of  the  MIT  Media  Lab’s 
eMarkets  Initiative  and  author  of  Serious  Play.  He  can 
be  reached  at  schrage@media.mit.edu. 
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Today,  if  I'm  lucky. 


I'll  be  totally  ignored. 


That  means  systems  are  humming 


and  data  is  flowing. 


If  not,  I  have  to  fix  it. 


Preferably,  before  anyone  notices 


Save  the  dav. 


Keep  bad  things  from  reaching  users  and  you'll  get  noticed  for  all  the  good  you  do.  One  way  is  to  use  an  L5500  automated  tape 
library  with  Tape  Mirroring  software  for  foolproof  backup  and  restore.  Or  a  D280  disk  system  with  Remote  Volume  Mirroring 
software  so  systems  rebound  fast.  Whatever  your  solution,  we'll  make  sure  you  only  get  noticed  when  you  want.  Learn  more 
about  this  story  and  other  ways  we  can  help  you  at  www.savetheday.com  STORAGETEK*  Save  the  Day.’" 
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CIO  Perspectives' 


THE  COMPLETE 
CIO 


AN  AGENDA  FOR  PROFESSIONAL 
AND  PERSONAL  SUCCESS 


Hyatt  Regency  Coconut  Point  Resort  &  Spa  •  Bonita  Springs,  Florida  •  April  27-29, 2003 


SUNDAY,  APRIL  27 

8:00  am-l:30  pm 

Golf  Tournament 

3:00  pm-5:00  pm 

Registration 

6:00  pm-8:00  pm 

Registration,  Welcome 
Reception  &  Golf  Awards 

MONDAY,  APRIL  28 

7:00  am-8:00  am 

Networking  Breakfast 

8:00  am-8:15  am 

Welcome 
ABBIE 
LUNDBERG, 

Editor  in  Chief, 

CIO  Magazine 
JONATHAN 
ZITTRAIN,  Con¬ 
ference  Moderator 
and  Cofounder, 

The  Berkman 
Center  for  Internet 
&  Society,  Harvard 
Law  School 

8:15  am-9:15  am 

The  Complete  CIO 
CHARLIE  FELD, 

Founder,  The  Feld 
Group  &  Former 
CIO  of  First  Data 
Resources,  Delta 
Air  Lines,  Burling¬ 
ton  Northern  and  Frito-Lay 

CIOs  increasingly  have  more  of  a 
hand  in  defining  and  driving 
corporate  business  strategy.  And 
everyone— business  line  man¬ 
agers,  the  executive  management 
team,  the  CEO,  the  board  of 
directors— has  greater  expecta¬ 
tions  of  their  CIO.  What  are  the 
essential  skills  and  attributes 
needed  to  thrive  in  the  CIO  role 
today?  Charlie  Feld  talks  about  his 
own  experiences  over  time  as 
CIO  of  very  diverse  businesses, 
and  what  his  client  companies 
demand  today. 


9:15  am-9:40  am 

2nd  Annual  State  of  the  CIO 
Survey  Results 
Highlights 
LORRAINE 
COSGROVE, 

Research  Editor, 

CIO  Magazine 

This  year's  exclusive  survey  of  over 
500  IT  chiefs  reveals  a  very  differ¬ 
ent  set  of  challenges  and  a  new  set 
of  priorities  from  a  year  ago.  We 
share  some  of  the  highlights. 

9:40  am-10:30  am 

View  from  the 
Top:  Creating 
Value  Through  IT 
NIGEL  MORRIS, 

Cofounder,  Presi¬ 
dent  &  COO, 

Capital  One  Corp. 

Morris  shares  his  viewpoint  on  the 
role  of  IT,  and  the  criteria  for 
measuring  a  CIO’s  ability  to 
articulate  and  delivertrue  IT  value 
to  the  enterprise. 

10:30  am-ll:00  am 

Coffee  Break  and  Sponsor 
Exhibits 

11:00  am-12:40  pm 

Sponsor  Briefings 

12:45  pm-2:15  pm 

Networking  Lunch 

2:30  pm-3:30  pm 

The  CIO  Interview 
MONTE  FORD 

Senior  Vice  Presi¬ 
dent  &  CIO,  Amer¬ 
ican  Airlines 

Ford  took  on  the  top  IT  spot  at  the 
world’s  biggest  airline  at  the  end  of 
2000,  then  had  to  deal  with  the 
acquisition  and  merger  of  TWA,  the 
economic  recession,  Sabre  selling 
its  outsourcing  business  to  EDS— 
and  the  events  of  9/11.  CIO  maga¬ 
zine  Editor  in  Chief  Abbie  Lund- 
berg  talks  with  Ford  about  his 


pivotal  role  in  the  organization  and 
his  plans  for  the  future  of  IT. 


3:30  pm-5:00  pm 

Delivering  Value:  How  to 
Manage  Your  IT  Portfolio  and 
Make  a  Strong  Business  Case 


Moderator: 

ABBIE 
LUNDBERG, 

Editor  in  Chief, 

CIO  Magazine 
Participants: 
TIMOTHY  M. 
FERRARELL,  Senior 
Vice  President, 
Enterprise  Systems, 
W.W.  Grainger,  Inc. 
JACK  KEEN,  Coau¬ 
thor,  Making  Tech¬ 
nology  Investments 
Profitable 
DR.  HOWARD 
RUBIN, 

Vice  President, 
META  Group,  Inc. 


In  today's  business  environment, 
it’s  all  about  value.  And  it’s  up  to 
the  CIO  to  make  sure  that  every  IT 
investment  delivers  maximum 


returns.  In  this  session,  we’ll 
explore  how  to  build  the  portfolio 
that’s  right  for  your  organization, 
how  to  manage  it  for  greatest 
business  benefit,  and  how  to  use  it 
as  an  effective  communications 


tool  with  your  business  partners. 
We’ll  also  discuss  how  to  make  a 


compelling  business  case  for  new 
IT  initiatives— even  if  your  com¬ 
pany  is  in  cost-cutting  mode. 


5:00  pm-6:30  pm 

CIO  Peer-to-Peer 
Networking  &  Reception 


TUESDAY,  APRIL  29 

7:00  am-8:00  am 

Breakfast  &  Informal 
Discussion  Roundtables 


8:00  am-8:45  am 
What  Every  CIO  Should 
Know  About  Digital  Rights 
Management 
JONATHAN  ZITTRAIN 
Entertainment  companies  aren’t 
the  only  ones  with  digital  content 
worth  safekeeping.  More  compa¬ 
nies  now  are  realizing  the  potential 
threats  and  are  seriously  weighing 
the  risks  of  not  implementing 
digital  rights  management  (DRM) 
technologies.  Zittrain  explores 
recent  trends  in  DRM  deployment 
and  discusses  the  impact  on 
businesses  of  all  types. 

8:45  am-9:45  am 

Best  Practices  for 
Getting  Outsourc¬ 
ing  Right 
Moderator: 

MARTHA  HELLER, 

Director,  CIO  Best 
Practice  Exchange 
&  CIO  Select 
Panelists:  LARRY 
FRAZIER, 

CIO,  Chevron 
Phillips  Chemical 
Company  LP 
DANIEL  L. 

ROBERTS,  Execu¬ 
tive  Vice  President  & 

CIO,  PMI  Group,  Inc. 

HANK  ZUPNICK, 

Senior  Vice  Presi¬ 
dent  &  CIO,  GE  Real  Estate 

Any  CFO  will  tell  you  that  the  more 
you  outsource  the  more  you  save. 
But  as  CIO,  you  know  the  pitfalls: 
lowered  productivity,  cultural 
conflicts,  service  level  problems,  to 
name  only  a 

few.  This  panel  of  CIOs,  drawn 
from  the  CIO  Best  Practice 
Exchange,  our  online  network  of 
CIOs,  will  provide  best  practices 
for  determining  what  to  outsource 
when,  and  how  to  sell  the  strategy 
to  the  board. 
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EXECUTIVE 

Recent  events  and  regulations  have 
made  data  protection  and  manage¬ 
ment  more  critical  than  ever.  Read 
this  report  to  learn  more  about: 

■  How  some  companies  have 
found  new  ways  to  secure 
their  critical  information  assets 
including  electronic  vaulting 
for  servers  and  PCs; 


SUMMARY 

■  The  new  regulatory  and 
business  challenges  facing 
IT  executives; 

■  Expert  advice  on  how  your 
enterprise  can  launch  a  Data 
Protection  Agenda  that  helps 
you  look  for  holes,  stop  the 
leaks  and  weigh  the  risks 
inherent  in  data  protection. 


BY  NOW,  CIOS  ARE  USED  TO  RAPID  SHIFTS  IN  CORPORATE 
technology.  But  when  it  comes  to  protecting  and 
managing  data  across  the  enterprise,  they  face  a  land¬ 
scape  thaf  s  changed  nearly  beyond  recognition. 

Data  no  longer  rests  safely  in  a  fortified  data  center.  Instead, 
IS  executives  face  the  challenge  of  protecting  and  managing 
data  thafs  scattered  across  the  enterprise — on  mobile  laptops, 
desktop  PCs  and  departmental  servers  in  remote  offices  world¬ 
wide.  And  in  the  wake  of  the  crack-down  on  corporate  account¬ 
ing  practices,  CEOs  and  CFOs  have  a  vested  interest  in  the 
integrity  of  corporate  data,  adding  more  pressure  to  the  CIO’s 
data  protection  responsibilities.  “Electronic  records  manage¬ 
ment  has  been  recently  exposed  as  an  organizational  impera¬ 
tive,”  writes  Andrew  Warzecha,  a  Meta  Group  analyst,  in  a  2002 
report.  “Organizations  must  identify  and  begin  treating  elec¬ 
tronic  records  with  the  same  rigor  as  paper-based  records,  and 
as  part  of  an  overall  organizational  records  management  plan.” 

Yet  as  new  areas  of  exposure  surface,  data  protection  has 
moved  beyond  the  traditional  scope  of  backing  up  and  secur¬ 
ing  information  to  encompass  the  notion  of  data  lifecycle 
management,  says  Kevin  Roden,  CIO  of  Iron  Mountain,  a 
Boston-based  information  management  company. 

AMONG  THE  NEW  CHALLENGES: 

The  Sarbanes-Oxley  Act  —  Signed  into  law  in  July  2002,  the 
Sarbanes-Oxley  Act  is  designed  to  prevent  corporate  scandals 
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GOT  A  QUESTION  ABOUT 
DATA  MANAGEMENT 
OR  PROTECTION? 

Send  an  e-mail  to 
Iron  Mountain  CIO 
Kevin  Roden  at 
cio@ironmountain.com. 
For  more  information 
about  Iron  Mountain's 
data  protection 
solutions,  visit 
www.ironmountain.com. 


such  as  Enron’s  and  Tyco’s  by  making  CEOs  and 
CFOs  of  public  companies  legally  accountable  for 
the  veracity  and  integrity  of  their  financial  state¬ 
ments.  The  law  also  creates  a  new  federal  crime  for 
the  destruction,  mutilation  or  alteration  of  corporate 
records  with  the  intent  to  impede  or  influence  a  gov¬ 
ernment  investigation  or  official  proceeding.  Failure 
to  comply  with  these  regulations  will  result  in  fines 
and  prison.  Which  for  a  CIO  means  that  now,  more 
than  ever,  IS  leaders  are  on  the  hook  for  making 
sure  that  their  corporate  data  is  irreproachable.  “In 
my  company,  I  must  sign  for  the  validity  of  the  com¬ 
pany's  performance  every  quarter,”  says  Roden. 
“More  and  more  CIOs  will  end  up  doing  the  same, 
and  they  need  to  have  sound  data  management 
processes  in  place  before  they  can  do  so.” 

The  High  Cost  of  Discovery — Many  companies 
make  the  mistake  of  thinking  that  data  backups  are 
sufficient  for  both  disaster  recovery  and  regulatory 
compliance.  The  good  news:  executives  increasingly 
understand  the  necessity  of  saving  critical  informa¬ 
tion.  The  bad  news:  they  don’t  make  the  key  distinc¬ 
tion  between  backing  up  and  archiving  data.  Backup 
data  is  essentially  a  record  of  corporate  data  pre¬ 
served  at  a  certain  point  in  time.  It  recreates  the 
entire  data  stream  of  a  company,  which  is  good  for 
data  recovery  purposes,  but  poses  a  daunting  and 
expensive  challenge  if  the  backup 
data  needs  to  be  searched  for  one 
key  piece  of  information  required  for 
regulatory  purposes.  Archived  data, 
on  the  other  hand,  is  arranged  and 
indexed  such  that  if  s  much  easier  to 
pluck  key  bits  of  data  as  needed  from 
the  archive.  Effective  data  manage¬ 
ment  today  requires  data  backup  and 
archiving  strategies  to  satisfy  recov¬ 
ery  and  regulatory  demands. 

“Backing  up  all  data  to  tape  will  not 
serve  you  well  if  you  need  to  pull  data 
for  a  lawsuit,”  says  Roden.  Say  a  bro¬ 
kerage  is  sued  by  a  client  for  giving 
bad  advice  in  1999.  “The  burden  of 
proof  has  shifted  to  the  defendant  for 
providing  information,”  says  Roden. 
“That  means  the  brokerage  firm 
must  sift  through  its  stored  data  presented  to  the 
client  in  that  timeframe — newsletters,  correspon¬ 
dence,  trade  confirmations,  e-mail — all  of  it  must  be 
produced.”  If  the  only  type  of  data  available  is 


Kevin  Roden's 

Iron  Mountain  CIO  Kevin  Roden  has  a 
keen  sense  of  what  IS  leaders  need  to  do 
to  best  manage  and  protect  their  compa¬ 
nies'  critical  data  assets.  But  he  also  knows 
where  they  can  go  wrong.  Here  are  the 
key  missteps  to  avoid: 

TUNNEL  VISION.  Failure  to 
recognize  that  critical  servers  exist 
outside  the  data  center  exposes  your 
company  to  critical  data  loss.  Reality 
check:  up  to  60  percent  of  corporate 
data  now  resides  outside  the  direct 
control  of  IS  staff. 

backed-up  file  information,  the  task  will  prove  tortur¬ 
ous.  E-mail  alone  will  take  weeks.  “We  always  say 
that  it  takes  a  week  to  recover  a  day,”  he  adds. 

Exponential  Data  Growth  —  Companies  are  stor¬ 
ing  unprecedented  amounts  of  information  each 
year,  and  storage  needs  are  skyrocketing.  The  per¬ 
centages  vary,  but  analysts  estimate  that  corporate 
storage  requirements  grow  anywhere  from  40  per¬ 
cent  to  75  percent  annually  at  many  companies. 

Data  Outside  the  Data  Center — Data  is  everywhere 
in  companies  today.  From  the  mobile  executive  who 
boots  up  his  laptop  to  check  out  the  latest  sales  fig¬ 
ures  to  the  important  client  database  stored  on  a 
remote  server  in  Akron,  huge  chunks  of  corporate 
data  have  moved  out  of  the  data  center — and  out  of 
the  CIO’s  control.  In  fact,  a  recent  Pepperdine 
University  study  found  that  60  percent  of  corporate 
information  resided  on  PCs. 

“All  of  that  data  has  criticality  that  needs  to  be 
addressed  from  a  backup  standpoint,  and  technology 
leaders  need  to  worry  about  that,”  says  Roden.  With 
so  many  users  on  the  move  with  their  computers, 
its  difficult  for  IS  staffers  to  keep  up.  The  result:  a 
frighteningly  large  chunk  of  data  that  is  not  man¬ 
aged  consistently. 

When  Rader,  Fishman  &  Grauer,  a  leading  nation¬ 
al  intellectual  property  law  firm,  faced  the  challenge 
of  managing  and  protecting  data  across  the  enter¬ 
prise,  the  firm  chose  to  implement  a  solution  to 
address  its  varying  business  needs  across  its  main 
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Seven  Deadly  Sins  of  Data  Mismanagement 


TURNING  A  BLIND  EYE.  Data  on  indi¬ 
vidual  PCs  and  laptops  is  critical  to  your 
company.  But  important  as  it  is,  such  data 
is  almost  always  unprotected.  Expecting 
individual  employees  to  regularly  back  up 
their  computers  is  unrealistic  at  best,  and 
dangerous  at  worst. 

LACK  OF  DIFFERENTIATION. 

There  is  a  distinct  difference  between 
backing  up  and  archiving  data.  Both 
serve  different  business  needs,  and 
both  are  essential.  Don't  make  the  mis¬ 
take  of  thinking  that  doing  one  will 


address  the  needs  of  the  other. 

INDIFFERENCE.  If  you  don't  continual¬ 
ly  test  and  refine  your  plan,  it  will  fail.  CIOs 
only  know  what  will  work  and  what  won't 
on  their  disaster  recovery  plan  if  they've 
actually  put  that  plan  through  its  paces. 

INCOMPLETENESS.  Don't  forget  the 
tertiary  files  when  backing  up,  such  as  data 
catalogs  and  directories  that  are  essential 
to  rapidly  recover  data.  DR  is  slowed  when 
the  means  to  organize  data  and  get  access 
permissions  is  missing. 

LINEARITY.  Think  differently  about 


your  data;  don't  fail  to  recognize  data 
assets  as  corporate  records. 

PROCRASTINATION.  Doing  nothing 
will  guarantee  that  you  are  not  prepared 
when  you  need  to  be.  Don't  miss  this 
chance  to  reassess 
and  engage  your 
organization  in 
responsible  pro¬ 
tection  and  man¬ 
agement  of  data 
as  a  corporate 

Kevin  Roden 

asset.  C/O,  Iron  Mountain 


offices  in  Michigan,  Utah  and  Washington,  D.C. 

“We  implemented  Electronic  Vaulting  in  regional 
offices  to  ensure  backup  policies  were  being  met, 
and  the  data  could  be  restored  quickly  and  efficient¬ 
ly  back  to  those  locations,”  says  Sheila  Schulz,  the 
firm’s  IT  director.  “Electronic  Vaulting  was  a  great 
complement  to  the  tape  vaulting  services  that  work 
very  well  for  us  in  our  central  location.” 

The  bottom  line  for  IT  leaders:  risk  management. 
“Managing  risk  within  the  context  of  all  physical 
and  digital  organizational  data  and  content  is  an 
organizational  legal  imperative,”  writes  Meta’s 
Warzecha.  “Now  that  this  issue  has  been  exposed, 
electronic  records  management  systems  (ERMS) 
are  becoming  the  business  requirement  and  legal 
imperative  they  always  should  have  been.” 

All  of  which  adds  up  to  a  significant  burden 
for  CIOs.  They  need  to  know  not  only  how  to 
store  data  efficiently,  but  also  how  to  manage  and 
protect  data  strategically.  CIOs  need  to  adopt  a 
data  protection  and  management  agenda. 

The  CIO  Data  Protection  Agenda 

■  ACTION  ITEM:  LOOK  FOR  HOLES 
IN  YOUR  DATA  STRUCTURE. 

If  you  want  to  know  where  the  data  leaks  are,  take 
a  look  at  your  data  structure  from  a  bird’s-eye  view. 
By  analyzing  the  big  picture,  details  will  come  into 
focus,  making  it  possible  to  identify  the  common 


gaps  and  exposure  points  where  a  corporate  data 
protection  plan  is  most  vulnerable.  CIOs  can  then 
identify  the  tools  and  processes  that  will  help  to  stop 
the  leaks.  Questions  to  ask:  Where  is  data  not  backed 
up  regularly?  Does  the  problem  lie  in  the  myriad  of 
desktop  machines  that  are  the  backbone  of  corporate 
life?  Or  is  it  that  remote  server  in  the  branch  office? 

A  tool  such  as  Iron  Mountain’s  Electronic 
Vaulting  backup  and  recovery  services  for  PCs  and 
servers  can  help  IS  executives  strengthen  their 
protection  strategy  by  ensuring  that  servers  and 
PCs  at  all  locations  are  automatically  backed  up. 
Electronic  Vaulting  runs  seamlessly  in  the  back¬ 
ground,  backing  up  data  over  the  Internet  to  a 
secure  off-site  vault.  Users  are  not  affected  in  any 
way,  and  recovery  can  be  done  using  a  simple 
Web-based  user  interface. 

The  U.S.  Small  Business  Administration  recently 
switched  to  Electronic  Vaulting  to  automate  its  back¬ 
up  and  recovery  of  more  than  93  servers  scattered  in 
district  offices  from  St.  Croix  to  Guam.  According  to 
CIO  Lawrence  Barrett,  the  solution  helped  him 
ensure  the  protection  of  mission-critical  data  on 
remote  servers  throughout  the  SBA  (see  case  study). 

■  ACTION  ITEM:  STOP  THE  LEAKAGE. 

CIOs  can — and  must — take  a  major  step  toward 
building  a  comprehensive  data  management  and 
protection  policy  by  invoking  a  solution  that’s  ori¬ 
ented  toward  remote  and/or  mobile  data. 


S3 


CIO  ADVERTISING  SUPPLEMENT 


m  m  u  M 

Electronic  Vaulting  Brings 
Peace  of  Mind  to  SBA 


The  U.S.  Small  Business  Adminis¬ 
tration  understands  firsthand  that 
disaster  can  strike  without  warning. 
After  all,  the  SBA  has  loaned  signifi¬ 
cant  amounts  of  money  to  small 
businesses  for  disaster  relief  over 
the  years. 

So  when  CIO  Lawrence  E.  Barrett 
took  a  look  at  the  data  backup 
methodology  for  nearly  100  local 
SBA  offices,  he  was  quick  to  see  a 
potential  disaster  in  the  making. 

"We  were  relying  on  individuals  at 
each  office  to  do  the  backups,"  he 
says, "and  it  just  wasn't  reliable. The 
people  weren't  always  there;  they  had 
to  deal  with  equipment  failures  and 
broken  tapes — there  was  just  a  lot  of 
potential  for  trouble." 

And  Barrett  knew  that  SBA  employ¬ 
ees,  who  provide  vital  data  on  small 
business  to  bodies  such  as  Congress 
and  the  Office  of  Management  and 
Budget,  could  not  afford  to  be  with¬ 
out  reliable  protection  to  critical 


data."lt  would  be  a  huge  and  visible 
embarrassment  if  we  couldn't  come 
up  with  a  file  that  was  needed  up 
on  the  Hill,"  he  says. 

Barrett  took  the  guesswork  out  of 
remote  server  and  PC  backup  by 
implementing  Server  Electronic 
Vaulting  from  Iron  Mountain. The 
service  automatically  backs  up  data 
from  each  SBA  location  using  the 
Internet,  and  stores  it  securely  in  an 
off-site  vault.  Moreover,  users  can 
easily  and  instantly  recover  local  files 
in  the  event  of  an  outage  by  using  a 
simple  Web-based  user  interface. 

For  Barrett,  Electronic  Vaulting  has 
proven  to  be  a  huge  relief. "This 
takes  backup  out  of  individual's 
hands,"  he  says."Our  backup  and 
recovery  operations  are  much  more 
efficient  and  reliable  than  they 
used  to  be,  and  the  central  adminis¬ 
tration  simplifies  things  for  the  IS 
staff,  too.  It  really  gives  me  peace 
of  mind." 


“You  need  to  make  sure  that  you  have  all  the  data 
backed  up  whether  it's  on  a  mobile  product  or  not, 
and  you  need  to  realize  that  you  cannot  ask  the 
user  to  do  it  for  you,”  says  Roden.  “I’ve  always 
found  that  if  you  rely  on  business  users  to  imple¬ 
ment  a  backup  process,  it  won’t  work.  You  need  to 
take  people  out  of  the  equation. 

Instead,  use  technology,  he  says.  “A  solution  like 
Iron  Mountain’s  PC  Electronic  Vaulting  service  is 
not  only  more  reliable,  if  s  oriented  toward  data 
that  doesn’t  reside  centrally  on  servers,”  Roden 
points  out.  The  service  is  unobtrusive  to  business 
workers — user  data  is  automatically  backed  up  in 
background  mode  when  mobile  workers  log  on. 

Most  important,  Electronic  Vaulting  allows  the 


CIO  to  reliably  put  in  place  a  data  protection 
strategy  that  covers  the  entire  range  of  data  with¬ 
in  a  corporation.  “Businesses  can  now  ensure 
that  critical  business  data  is  protected  without 
having  to  burden  IS  staff  with  more  data  backup 
tasks,”  says  Roden. 

When  Mark  Thompson,  CIO  of  Hallmark/Crown 
Media,  realized  that  some  of  his  organization’s  data 
was  not  consistently  backed  up  and  protected  off¬ 
site,  he  turned  to  Iron  Mountain  for  help.  “We 
implemented  PC  Electronic  Vaulting  to  ensure 
backup  policies  were  being  met,  and  that  data  was 
being  protected  in  a  consistent  manner — regardless 
of  where  it  resided,”  Thompson  says.  “With  Iron 
Mountain’s  automated  solutions,  we  were  able  to 
take  the  burden  out  of  backup — enabling  us  to 
accelerate  user  adoption  and  implementation.” 

■  ACTION  ITEM:  ANALYZE 
AND  WEIGH  THE  RISKS. 

When  it  comes  right  down  to  it,  all  data  is  not  creat¬ 
ed  equal,  but  most  IS  organizations  tend  to  treat  it 
that  way.  The  nonessential  files  get  backed  up  over 
and  over  again,  along  with  the  vital  business  data 
that  drives  company  revenues.  The  result:  compa¬ 
nies  spend  more  than  they  have  to  on  storage  and 
backup,  and  make  it  more  difficult  to  recover  the 
important  information  in  an  emergency. 

“Today,  data  protection  has  got  a  large  compo¬ 
nent  of  risk  analysis  to  it,”  says  Roden.  “CIOs 
need  to  figure  out  not  only  how  to  safely  secure 
their  data,  but  they  also  need  to  decide  which  data 
is  important  to  keep,  because  clearly  it’s  not  cost 
effective  to  keep  it  all.” 

Such  a  task  is  fraught  with  regulatory  implica¬ 
tions,  so  the  consequences  of  inadvertently  jetti¬ 
soning  the  wrong  data  are  huge. 

CONCLUSION:  ACT,  DON'T  REACT. 

One  thing  is  certain:  CIOs  must  rush  to  meet  the 
new  reality  of  enterprise  data  management  now, 
before  disaster  strikes  and  brings  the  reality  crash¬ 
ing  down  upon  mismanaged,  unsecured  data. 
“Now’s  the  time  to  take  steps  to  secure  the  critical 
data  assets  of  your  company,”  emphasizes  Roden. 
“Your  senior  executives  are  very  interested  in  data 
protection  and  preservation  right  now,  as  they  fear 
to  be  held  personally  responsible.  If  you  have  holes 
in  your  processes  and  plans,  fix  them  now.” 
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CIO  needs  to  adapt  to  greatly 
different  human  interactions  to 
handle  the  360  degrees  of  interac¬ 
tion.  You  can't  always  be  your  own 
mentor.  Executive  coach  Michael 
Brenner  discusses  the  special 
challenges  CIOs  face  and  how  to 
use  executive  coaching  as  a  tool. 
The  benefits  can  include  having  an 
objective  sounding  board,  deter¬ 
mining  accountability,  resolving 
conflict  and  maintaining  work/life 
balance.  He  provides  sources  of 
executive  coaches,  tips  on  how  to 
pick  and  work  with  one,  and 
explores  specific  situations 
suggested  by  attendees. 

In  Focus  Workshop  #3 
Plugging  Business  Case 
Leaks  in  the  IT  Value  Pipe 

JACK  KEEN, 

Coauthor,  Making 
Technology 
investments 
Profitable 

A  dependable 
business  case  is  a  vital  manage¬ 
ment  tool,  not  just  to  "get  the 
money,”  but  throughout 
the  entire  life  cycle  of  a  project, 
from  the  moment  it  is  conceived, 
through  proposing,  selection, 
implementation  and  systems 
operations.  Like  many  things  in 
life,  however,  business  case 
appearances  can  be  deceiving— 
the  majority  are  unintentionally 
inaccurate  and  incomplete,  thus 
dangerously  misleading  in  their 
recommendations  to  manage¬ 
ment.  Keen  shows  us  how  to 
identify  the  likeliest  weak  links  and 
fix  them.  He  shares  how  to  avoid 
missing  benefits,  missing  intangi¬ 
bles  and  poorly  supported  calcula¬ 
tions  and  reasoning. 

In  Focus  Workshop  #4 
Effectively  Marketing  IT 
Internally 

PATTY  JARAMILLO,  Founder, 
Creative  IT  Marketing 
A  common  CIO  lament  is  that  the 
business  and  financial  sides  of  the 
house  don't  understand  IT— but 
Jaramillo’s  recent  study  shows 
that  most  CIOs  do  not  have  a  plan 
in  place  for  internal  marketing 
communications  for  IT.  To  be 
successful,  you  need  to  continually 
educate  the  business  side  to  IT 
value,  and  you  need  to  do  it  in 
terms  they  understand.  Jaramillo 
talks  about  the  importance  of 
being  an  active  communicator,  and 
shares  techniques  and  tools  that 


have  worked  for  a  number  of 
organizations. 

InFocus  Workshop  #5 
Sarbanes-Oxley:  Section  404 
Compliance  Starts  With  The 
CIO,  No  Question  About  It. 

Are  You  Ready? 

NEIL  B.  JACKSON,  CISA 
Business  Manager  Internal 
Audit,  Global  Information  Tech¬ 
nology,  E*TRADE  Group,  Inc. 

Learn  how  certifications  by  your 
CEO  and  CFO  are  dependent  on 
your  assessment  of  your  internal 
controls  within  technology.  Under¬ 
stand  the  COSO  framework  of 
defining  internal  control  and  how 
you  assess  their  legal  effectiveness. 
Understand  your  legal  responsibili¬ 
ties  to  disclose  deficiencies  and 
how  a  GAP  analysis  will  help. 
Understand  how  your  internal  and 
external  audit  function  can  help  you 
achieve  your  new  responsibilities. 
Take  back  solutions  and  important 
advice  from  your  new  and  trustwor¬ 
thy  friend,  Internal  and  External 
Audit. 

3:45  pm-4:45  pm 

Developing  the  Next  Genera¬ 
tion  of  IT 
Leaders 

Moderator:  RICK 
SWANBORG, 

President,  1C  EX 
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GUZMAN, 
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dent  &  CIO,  Owens 
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EDWARD  L 
GLOTZBACH, 
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SBC 

MICHAEL  HARTE, 

Executive  Vice 
President  &  CIO, 

PFPC 

MAMIE  MILLARD, 

Senior  Vice  Presi¬ 
dent,  Technology, 
Travelocity.com 

In  addition  to  honing  their  own 
leadership  abilities,  CIOs  are 
concerned  with  identifying  and 
developing  effective  leaders  in 
their  organizations.  Swanborg  and 
a  panel  of  CIOs  discuss  the  chal¬ 
lenges  involved,  and  share  the 
techniques  they've  used  to  mold 
the  next  generation  of  IT  leaders. 


4:45  pm-5:30  pm 
How  to  Get  a  Life 

DR.  RICK 
BRINKMAN, 

Author  of  Life  By 
Design:  Making 
Wise  Choices  in  a  Mixed-Up 
World 

With  the  Internet,  cell  phones, 
laptops,  wireless  and  loads  of 
other  nifty  gadgets,  we  can  now 
work  anytime  from  anywhere  in 
today’s  24/7  global  business 
environment.  Dr.  Rick  looks  at  why 
it’s  increasingly  important  to 
maintain  a  healthy  balance 
between  Life  and  Work. 

5:30  pm-5:45  pm 

Closing  Summary 

JONATHAN  Z1TTRAIN 

5:45  pm-6:45  pm 

Networking  Reception 

7:30  pm-9:30  pm 

CIO  Dinner  Party 
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Jack  Keen  I  Real  Value 

Practical  Counsel  for  Capturing  IT  Value 


Plugging  Leaky 
Business  Cases 

An  airtight  business  case  is  an  important 
step  toward  ensuring  the  IT  project  payoff 

WHEN  PEOPLE  ASK  ME  what  I  do,  I  tell  them  my  job  is  similar  to  that 
of  a  plumber’s.  Except  I  fix  business  cases  that  leak  “IT  value,” 
rather  than  faulty  pipes.  In  13  years  at  this  task  (out  of  more 
than  30  years  in  the  IT  industry),  I’ve  discovered  that  business 
cases  can  be  either  the  hero  or  the  Achilles’  heel  of  IT  valuation 
success.  Good  business  cases  are  management’s  beacon  for  cut¬ 
ting  through  the  fog  of  value  ambiguity,  risk  and  politics.  Con¬ 
versely,  bad  business  cases  dangerously  confuse  value  fact  and 
value  fantasy. 

After  helping  Fortune  1000  companies  from  around  the  globe 
root  out  and  battle  the  practice  of  using  problematic  business 
cases,  I’ve  noticed  three  disturbing  traits.  First,  weak  business 
cases  for  IT  projects  are  extremely  prevalent — I  estimate  that 
more  than  90  percent  of  all  business  cases  are  afflicted.  Second, 
the  causes  and  cures  for  these  ineffectual  cases  are  relatively 
culture-independent — they  permeate  in  Singapore  as  much  as 
in  Fondon,  Paris  and  San  Francisco.  Third,  these  failings  are 
serious — but  mostly  unnoticed.  Fike  the  slow,  hidden  water  drip 
behind  a  wash  basin  that  ultimately  collapses  an  entire  wall, 
bad  business  cases  are  strong,  silent  killers  of  IT  value  that  sab- 
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otage  business  payoff  before  projects  ever  get  off  the  ground. 

There  is,  however,  some  good  news  to  report:  A  concerned 
manager  can  discover  hidden  business  case  flaws  in  less  than  an 
hour  of  his  time.  I  know  of  a  single  20-minute  effort  in  one 
company  that  revealed  $1  million  of  benefits  missed  by  the 
business  case  team.  Another  examination  revealed  $16  million 
of  undiscovered  business  case  obstacles  to  a  project  payoff. 
Flere’s  a  quick,  three-step  method  I  use  to  see  if  business  cases 
have  significant  value  defects.  Try  it  for  yourself. 

1.  Communicate  the  urgency  of  the  business  case  reliability. 
Call  your  employees  together.  Remind  them  that  business  cases 
are  one  of  management’s  primary  inputs  for  bringing  objective 
clarity  to  the  complex  task  of  selecting  and  realizing  the  highest 
value  of  potential  IT  investments.  Encourage  your  team  to  think 
about  the  devastating  consequences  if  a  business  case  erro¬ 
neously  predicts  a  12-month  payback,  when  it  turns  out  to  be 
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Ianyware*  The  downside:  your  walk  through  the  parking  lot  was  long.  The  upside:  it  gave  you  time 
to  think  about  a  way  to  eliminate  the  high  cost  and  hassles  of  overnight  delivery. 

And  lo  and  behold,  you  found  it:  Canon  iniageRUNNER®  technology.  It  lets  you  send  documents  anywhere,  in  any  form,  at  any  time, 
over  your  network  or  the  Internet.  Instantaneously.  Just  scan  a  document  into  the  imageRUNMER  and  send  it  -  to  desktops.  E-mail 
addresses,  fax  machines,  databases  and  file  servers.  All  of  which  results  in  lowered  costs  and  increased  productivity.  So,  take  pride. 
Thanks  to  Canon  know-how,  your  walk  through  the  parking  lot  is  considerably  shorter.  1 -866-25-CANON  www.imagerunner.com 

Canon  is  a  registered  trademark  and  Canon  Know  How  is  a  trademark  of  Canon  Inc.  IMAGERUNNER  is  a  registered  trademark  of  Canon  Inc.  in  the  U.S.  and  Canada.  I  MAG  LAN  YW  ARE  is  a  service  mark  of  Canon  U.S.A.,  Inc.  ©2003  Canon  U.S.A..  Inc. 
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Jack  Keen  I  Real  Value 


True  or  False:  You’re  Leaking  Value 

Test  your  business  case  against  these  10  common  flaws 

Compare  your  business  case  to  the  leaks  below  and  answer  ‘‘true"  if  they  fit  the 
description  or  “false"  if  they  don’t. 

TRUE 

FALSE 

4  LITTLE  OR  NO  DISCUSSION  ABOUT  INTANGIBLE  PAYOFFS 

JL  Nonquantified  benefits  are  a  part  of  every  management  decision. 

□ 

□ 

LITTLE  OR  NO  DISCUSSION  ABOUT  RISKS  No  investment  choice 
is  without  risk.  Risk  analysis  provides  an  essential  perspective. 

□ 

□ 

^  PAYOFFS  ARE  EXPLAINED  MAINLY  IN  SYSTEMS/DATA  TERMS 

Good  IT  investment  decisions  are  based  on  business  value— not 
technology  appeal. 

□ 

□ 

M  UNCLEAR  LINKAGE  OF  PROPOSED  I.T.  INVESTMENT  TO 
ENTERPRISE  BUSINESS  GOALS  How  an  IT  investment  will 
help  achieve  business  success  must  be  crystal  clear. 

□ 

□ 

C  UNSUBSTANTIATED  VALIDITY  OF  KEY  METRICS  Due  diligence 
is  vital.  Even  key  metrics,  originating  from  supposedly  trustworthy 
sources,  often  contain  hidden  assumptions  and  dubious  conclusions. 

□ 

□ 

£  BENEFITS  FOCUS  ON  DIRECT  USERS  OF  THE  PROPOSED 

W  SYSTEM,  NOT  BENEFICIARIES  OF  THE  SYSTEM’S  OUTPUT 

We  live  in  a  highly  interdependent  world.  Often  a  new  system’s  major 
value  is  its  data  usage  for  better  decisions  by  managers  outside  the 
group's  main  users. 

□ 

□ 

^  NUMBERS,  RATHER  THAN  TEXT,  MAKE  UP  MORE  THAN 
/  50  PERCENT  OF  THE  CONTENT  Excessive  use  of  numbers 
obscure  rapid  and  accurate  understanding  of  the  “how"  and  “why” 
of  true  business  value. 

□ 

□ 

O  BUSINESS  CASE  IS  PRIMARILY  IN  PRESENTATION-BULLET 
FORMAT  The  complete  logic  and  rationale  of  the  business  case’s 
analysis  and  conclusions  should  be  fully  available  to  those  influencers 
who  cannot  attend  an  oral  presentation. 

□ 

□ 

Q  BUSINESS  CASE  SIZE  IS  MORE  THAN  20  PAGES  IN  LENGTH 

2#  (NOT  INCLUDING  APPENDICES)  Communication  is  as  important 
as  content.  Executive  decision-makers  need  succinct  and  to-the-point  input. 

□ 

□ 

4  A  BUSINESS  CASE  IS  NOT  USED  AFTER  THE  I.T.  INVESTMENT 
JL%#  DECISION  IS  MADE  Business  cases  should  be  the  foundation 
of  value  realization  from  IT  investment  selection  until  the  system’s 
operational  retirement. 

□ 

□ 

HOW  DID  YOU  DO?  If  you  answered  TRUE  to  more  than  two  questions,  chances  are 
your  business  case  is  seriously  leaky. 

L _ _ _ 

24  months.  Or  if  a  32-month  payback  is  fore¬ 
casted,  when  it  should  have  been  eight 
months.  Conclude  this  discussion  with  a 
request  to  enlist  their  help  in  seeing  if  any  of 
these  business  case  problems  have  infiltrated 
your  organization.  Then,  get  the  word  out. 
Make  sure  that  all  who  propose,  select,  man¬ 
age  and  count  on  the  benefits  of  IT  invest¬ 
ments  understand  the  importance  of  ironclad 
business  cases  as  well.  Let  them  know  that 
no  business  case  will  be  accepted  if  it  has  any 
of  the  “leaks”  contained  in  “True  or  False: 
You’re  Leaking  Value”  (this  page). 

2.  Locate  some  “typical”  business  cases. 
Ask  a  member  of  your  team  to  compile  copies 
of  four  representative  business  cases  recently 
used  by  your  enterprise.  These  cost-benefit 
reports  should:  be  not  more  than  nine  months 
old;  address  controversial  IT  projects  impor¬ 
tant  to  the  enterprise’s  business  success;  and  be 
competing  for  scarce  funding  resources.  Two 
of  these  business  cases  should  be  for  projects 
selected  for  funding.  The  other  two  should  be 
for  proposed  projects  ultimately  rejected. 

3.  Apply  the  “value  leakage”  quick  test. 
Plumbers  check  for  water  leaks  by  blowing 
compressed  air  through  suspicious  pipes.  Your 
staff  members  can  do  an  analogous  value 
leakage  test  by  passing  each  of  these  selected 
business  cases  through  a  gamut  of  10  com¬ 
pressed  questions  listed  in  the  chart.  You  can 
compare  your  business  cases  to  the  leaks  listed 
and  assess  how  strong  or  weak  they  are.  If 
you  frequently  answer  “true”  to  the  leaks  in 
the  chart,  you’re  in  trouble. 

The  time  investment  in  these  steps  is  min¬ 
imal,  but  using  this  process  can  go  a  long 
way  in  uncovering  hidden  business  case- 
related  losses.  But  this  is  only  the  first  step.  In 
future  columns,  I’ll  be  discussing  more  tips 
I’ve  picked  up  from  surveying  the  wreckage 
of  IT  value  misadventures.  H0 


Jack  Keen  Is  the  founder  and 
president  of  the  Deciding  Factor 
( www.decidingfactor.com ),  and 
coauthor  of  Making  Technology 
Investments  Profitable:  ROI  Road 
Map  to  Better  Business  Cases. 
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THERE’S  SHALLOW 
INTEGRATION  AND  THERE’S 


DEEP  INTEGRATION 


MAKE  SURE  YOU 
KNOW  THE  DIFFERENCE 

BEFORE  YOU  DIVE  IN. 

Everybody  seems  to  be  jumping  into  integration 
these  days,  but  it  takes  a  deep  integration 
solution  to  deliver  the  true  benefits  of  a  real-time 
business.  That's  what  TIBCO  Software  delivers 
with  The  Power  of  Now.1” 

The  Power  of  Now.  It's  the  transformation  of 
your  company  into  a  real-time  business.  It 
unifies  and  optimizes  the  assets  you  already 
have — your  people,  systems  and  processes — to 
coordinate  end-to-end  activities  and  get  informa¬ 
tion  where  and  when  it's  needed.  It's  a  business 
operating  at  its  peak  efficiency,  and  generating 
immediate  and  measurable  results. 


Real-time  Results.  When  TIBCO  integrated  the  disk  drive  giant  Seagate  with  its  partners 
and  customers,  the  resulting  system  delivered  superior  customer  service  and  enabled  the 
company  to  bring  its  products  to  market  faster.  And  when  TIBCO  created  adidas-Salomon's 
real-time  supply  chain,  it  resulted  in  faster  time  to  market  and  higher  revenues  for  the 
sporting  goods  marketer.  That's  The  Power  of  Now. 


Learn  how  our  deep  integration  has  enabled  real-time  business 
for  other  Global  2000  companies.  Call  800-420-8450,  or  visit 
www.tibco.com/cia  to  obtain  your  Executive  Guide  to  Real-Time 
Business,  the  first  step  toward  the  Power  of  Now. 


®TI  BCD 

The  Power  of  Now™ 


PATRIOTcompliance  Solution 
Y 


COMPLIANCE  OR 

CONSEQUENCES. 


The  consequences  of  USA 
PATRIOT  Act  non-compliance 
are  substantial.  Enormous  fines 
are  being  imposed  that  range 
in  millions  of  dollars.  Not  to 
mention  the  added  scrutiny  and 
negative  publicity.  It's  clear 
you  don't  want  to  be  next. 


Nor  do  you  have  to  be. 

Our  PATRIOTcompliance 
Solution  integrates  your 
existing  customer  and 
transaction  information 
systems  into  a  consolidated 


compliance  system  that 
not  only  detects  unusual 
activity,  but  also  automates 
its  investigation  and  its 
resolution  in  a  timely, 
secure,  and  meticulously 
documented  manner. 

USA  PATRIOT  Act  compliance 
is  just  one  example  of 
how  Sybase  is  helping 
today's  enterprises  achieve 
Information  Liquidity: 
a  highly  profitable  state 
where  all  your  information 
is  transformed  into  real 
economic  value. 


For  product  details,  visit 
sybase.com/patriotsolution. 


INFORMATION  LIQUIDITY. 
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(Sybase 


BETTER  WHEN  EVERYTHING  WORKS  TOGETHER™ 


I 
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What  to  Do  When 
Uncle  Sam  Wants  Ybir 


How  to  Serve 
Your  Company  and 
Your  Country 


PLAYING  BY 
NEW  RULES 


*r 


Your  Risks  and 


H 


Si  il  l  l 
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Editor's  Note:  This  story  on  the  IT  rami¬ 
fications  of  the  USA  Patriot  Act  is  the 
first  in  a  new  CIO  series,  “Playing  By 
New  Rules:  Your  Risks  and  Responsibil¬ 
ities.”  Here  and  in  future  issues  we  will 
examine  the  federal  legislation  and  reg¬ 
ulation  that  is  having  a  profound  effect 
on  how  your  company  manages  data, 
ensures  security  and  protects  privacy. 


BY  BEN  WORTHEN 


Memorial  Day  is  typically  the  first  big  scuba  weekend  of  the  year,  and  the  Friday 
before  the  2002  holiday,  May  24,  proved  no  exception  as  dive  shops  around  the 
country  teemed  with  visitors.  There  was  one  notable  difference,  however.  In  addi¬ 
tion  to  the  usual  beach  bums,  water  bugs  and  vacationers  renting  equipment  and  booking 
trips,  there  were  FBI  agents  demanding  the  names  and  addresses  of  everyone  the  shops 
had  taught  to  dive  since  1999. 

They  wouldn’t  say  why. 

The  Professional  Association  of  Diving  Instructors  (PADI),  an  organization  that 
oversees  scuba  certification,  started  hearing 
from  panic-stricken  shop  owners  that  morn¬ 
ing.  "We  got  calls  from  all  over  the  country 
saying,  I  don’t  have  [the  data],  what  should  I 
do?”  says  Jeff  Nadler,  PADI's  vice  president 
of  industry  and  government  relations.  In 
order  to  spare  the  dive  shops  further  harass¬ 
ment  on  their  first  busy  day  of  the  year, 

Nadler  made  a  critical  decision:  PADI  would 
give  the  FBI  a  copy  of  its  own  database. 


Reader  ROI 

►  How  the  new  antiterrorism  laws 
will  impact  your  business 

►  How  to  shield  your  company 
from  potential  litigation  and  bad 
publicity 

►  What  infrastructure  improve¬ 
ments  may  be  required  by  the 
new  regulations 
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CHARLIE  LATHRAM,  vice  president  for 
security  and  business  controls  for  BellSouth, 
makes  sure  his  staff  always  gets  law 
enforcement  requests  for  data  in  writing. 


How  to  Avoid  Getting  Sued 


Thankfully,  there  are  ways  to  avoid  becoming  a  privacy  test  case  before  the 
Supreme  Court.  Follow  these  steps  to  help  protect  your  company  from 
litigation  while  fulfilling  your  legal  obligation  to  law  enforcement. 


1 

2 

3 

4 


Make  sure  your  privacy  policy  says  that  you  will  share  information  with 
the  government  when  required  by  law. 


Don’t  share  information  with  law  enforcement  unless  you  receive  a  court 
order  or  subpoena,  and  your  legal  department  has  determined  it  is  valid. 

Make  sure  all  employees  know  that  the  first  thing  they  need  to  do  when 
contacted  by  a  law  enforcement  agent  is  send  the  agent  to  the  legal 
counsel— even  if  the  employee  has  helped  the  agent  in  the  past. 

Figure  out  what  pieces  of  technology  you  must  have  to  comply  with 
data-sharing  regulations.  You  may  not  have  to  implement  it  immediately, 
but  you  should  at  least  have  a  plan.  -B.  I V. 


Cover  Story  |  Data  Privacy 

On  Friday  afternoon,  he  called  the  FBI 
agent  in  charge  of  the  dive  shop  investigation 
and  struck  a  deal.  PADI  would  turn  over  its 
records  if  the  FBI  would  agree  not  to  share 
the  information  with  any  other  organization, 
including  other  law  enforcement  groups. 

Strictly  speaking,  PADI  was  acting  volun¬ 
tarily;  the  FBI  had  not  subpoenaed  its  data¬ 
base.  (One  Florida  dive  shop  owner  refused 
the  FBI’s  request,  and  two-and-a-half  hours 
later  an  agent  returned  with  a  subpoena.)  The 
following  Tuesday,  Nadler  mailed  to  the  FBI 
a  Zip  drive  containing  the  names,  addresses 
and  certification  levels  of  almost  every  Amer¬ 
ican  who  had  learned  to  dive  in  the  past  three 
years — 2  million  names  and  their  accompa¬ 
nying  personal  information. 

PADI’s  experience  is  not  unique.  In  the 
year  and  a  half  since  Sept.  11,  2001,  super¬ 
market  chains,  home  improvement  stores  and 
others  have  voluntarily  handed  over  large 
databases  of  customer  records  to  federal  law 
enforcement  agencies — almost  always  in  vio¬ 
lation  of  their  stated  privacy  policies.  Many 
others  have  responded  to  court  orders  for 
information,  as  required  by  law.  Clearly,  the 
government  wants  your  corporate  data,  and 
under  new  legislation  passed  in  the  shadow  of 
Sept.  1 1,  it  has  a  right  to  it. 

Companies  that  lack  the  proper  procedures 
to  handle  the  new  government  mandates  can 
expect  to  lose  business  and  even  face  lawsuits 
(from  customers  outraged  at  the  loss  of  then- 
privacy).  And  then  there’s  the  cost  of  infra¬ 
structure  improvements  to  meet  the  demand 
for  data.  As  czars  of  information,  CIOs  must 
take  a  leading  part  in  preparing  their  compa¬ 
nies  for  when  the  feds  come  knocking.  As  a 
senior  FBI  official  told  Nadler,  “Last  month  it 
was  apartments;  this  month  it  is  scuba.  Who 
knows  what  it  will  be  next  month.” 

The  government’s  hunger  for  data  repre¬ 
sents  a  profound  about-face  in  how  law 
enforcement  operates.  Before  the  terrorist 
attacks,  when  a  crime  occurred,  investigators 
would  work  to  determine  the  perpetrator’s 
identity,  and  then  they  would  try  to  dig  up  as 
much  information  about  the  suspect  as  possi¬ 
ble.  Collect,  then  convict.  Today,  the  FBI’s 
stated  top  priority  is  to  “protect  the  United 


States  from  terrorist  attacks,”  which  implies 
stopping  the  bad  guys  before  they  strike.  In 
other  words,  the  new  attitude  is  detect  and 
deter.  The  FBI  is  now  wading  through  enor¬ 
mous  amounts  of  data  looking  for  activity 
that  could  indicate  a  terrorist  plot  or  crime. 

“One  of  the  significant  new  data  sources 
that  needs  to  be  mined  to  track  terrorists  is 
the  transaction  space,”  says  John  Poindexter, 
the  former  national  security  adviser  who  now 
heads  up  the  ominously  named  Total  Infor¬ 
mation  Awareness  program  (see  “Taming  Big 
Brother,”  Page  62).  “If  terrorist  organizations 
are  going  to  plan  and  execute  attacks  against 
the  United  States,  their  people  must  engage 
in  transactions,  and  they  will  leave  signatures 
in  this  information  space.”  Of  course,  “trans¬ 
actions”  could  include  just  about  anything, 
from  transferring  money  to  buying  a  sand¬ 
wich  at  a  local  deli.  Information  gathering  at 
this  level  is  akin  to  searching  for  a  terror  nee¬ 
dle  in  a  data  haystack. 

Caught  in  the  middle  are  American  busi¬ 
nesses,  which  are  being  forced  to  compromise 
their  customers’  privacy  to  fulfill  these  new 
government  mandates.  Companies  that  don’t 
have  the  right  language  in  their  privacy  state¬ 
ments  or  the  proper  process  for  handling  data 
requests  can  expect  trouble.  And  then  there’s 
the  cost.  No  one  is  quite  sure  what  technology 


investments  will  be  needed  to  satisfy  law 
enforcement  requests.  Financial  and  travel 
companies  have  already  had  to  create  systems 
that  check  customer  names  against  a  govern¬ 
ment  watch  list  in  real-time.  Some  estimates 
for  the  cost  of  these  systems  run  as  high  as 
$5  million  for  an  average-size  company.  (The 
cost  of  not  complying  is  even  higher;  the  gov¬ 
ernment  fined  Western  Union  $8  million  in 
December  when  it  failed  to  spot  multiple 
transfers  made  by  the  same  people.) 

“I  see  this  as  a  critical  issue  for  businesses 
in  this  decade,”  says  Alan  Westin,  professor 
of  public  law  and  government  at  Columbia 
University  and  president  of  Privacy  and 
American  Business,  a  nonprofit  newsletter 
on  privacy  issues.  Ultimately,  says  Westin, 
the  burden  falls  on  the  CIO — the  keeper  of 
information  and  a  company’s  last  line  of 
data  defense — to  make  sure  that  his  com¬ 
pany  meets  these  new  requirements  and 
doesn’t  get  sued  or  fined. 

“[The  new  legislation]  forces  more  disci¬ 
pline  around  knowing  your  customer,”  says 
Peter  McCormick,  general  manager  and  the 
CIO  for  Sumitomo  Mitsui  Banking,  the  U.S. 
wing  of  Japanese  financial  holding  company 
Sumitomo  Mitsui  Financial  Group.  “It 
requires  a  different  rigor  than  previously.” 
McCormick  says  he  now  has  to  scan  more 
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Keep  your  on-screen  information  to  yourself  with  a  3M™  Privacy  Computer  Filter. 
It  allows  only  persons  sitting  directly  in  front  of  the  monitor  to  see  on-screen  data. 
Prying  eyes  on  either  side  just  see  a  dark  black  screen.  Available  in  styles  and 
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PETER  MCCORMICK,  CIO  of  Sumitomo 
Mitsui  Banking,  makes  a  point  of  keeping 
company  data  online  for  six  to  12  months 
so  he  can  quickly  respond  to  law 
enforcement  requests. 


data,  respond  to  more  requests  for  informa¬ 
tion  and  do  it  faster  than  ever  before. 

Fortunately,  CIOs  from  data-sensitive 
industries  such  as  finance,  telecom  and  travel 
have  already  confronted  this  challenge  and 
can  offer  some  practical  advice  about  sharing 
information  with  law  enforcement.  Herewith 
is  a  primer  on  the  latest  legislation,  its  policy 
and  technical  implications,  and  what  you 
should  be  doing  about  it  all. 

A  Recipe  for  Litigation 

The  primary  legal  instrument  for  this  new 
data-sharing  policy  is  the  Uniting  and 
Strengthening  America  by  Providing  Appro¬ 
priate  Tools  Required  to  Intercept  and 
Obstruct  Terrorism  Act  of  2001  (the  payoff  of 
this  cumbersome  name  is  the  acronym  USA 
PATRIOT,  or  Patriot,  Act).  While  most  of  the 
bill  outlines  strict  reporting  requirements  for 
financial  institutions  (more  on  that  later),  Sec¬ 
tion  215  of  the  Patriot  Act  amends  the  little 
known  Foreign  Intelligence  Surveillance  Act 
of  1978  to  allow  much  broader  access  to  pri¬ 
vate  data.  Specifically,  Section  215  says  fed¬ 
eral  agents  “may  make  an  application  for  an 
order  requiring  the  production  of  any  tangible 
things  (including  books,  records,  papers,  doc¬ 
uments  and  other  items)  for  an  investigation 
to  protect  against  international  terrorism  or 
clandestine  intelligence  activities.” 

This  law  grants  the  FBI  access  to  library 
records,  video  rentals  and  much,  much  more. 
“The  language  in  215  says  ‘including  books,”’ 
notes  Lee  Tien,  senior  staff  attorney  for  the 
Electronic  Frontier  Foundation,  a  technology 
and  policy  watchdog  organization.  “People 
who  are  not  lawyers  said  ‘books,’  then 
‘library,’  then  ‘They  could  get  your  reading 
record.’  They  are  right;  it  does  apply  to 
libraries  and  video  rentals  and  bookstores.  But 
it  is  also  applicable  to  any  business  records.” 

The  Patriot  Act  also  lowers  the  standard  to 
obtain  a  court  order  from  having  a  reason  to 
believe  that  an  individual  is  involved  in  crim¬ 
inal  activity  to  having  relevance  to  an  inves¬ 
tigation.  “It  means,”  Tien  says,  “that  there  is 
more  potential  for  fishing  expeditions.” 

Even  more  ominous,  Section  215  also 
says  that  “no  person  shall  disclose  to  any 


other  person... that  the  Federal  Bureau  of 
Investigation  has  sought  or  obtained  tangi¬ 
ble  things  under  this  section.”  In  other 
words,  it’s  illegal  to  reveal  if  you  have  been 
asked  for  information.  The  attorney  general 
is  required  to  report  the  total  number  of 
orders  requested  and  granted  to  the  Senate 
and  House  judiciary  committees  every  six 
months.  However,  the  reports  are  classified. 

Robert  Levy,  senior  fellow  in  constitutional 
studies  at  the  policy  and  research  group  Cato 
Institute,  has  his  doubts  about  the  constitu¬ 
tionality  of  these  provisions.  He  adds  that  this 
is  an  issue  for  the  courts  to  decide  sometime 
in  the  near  future  (if  Congress  doesn’t  step  in 
first  and  amend  the  legislation). 


Section  215  also  has  a  clause  intended  to 
make  companies  feel  better  about  sharing 
data:  “A  person  who,  in  good  faith,  produces 
tangible  things  under  an  order  pursuant  to 
this  section  shall  not  be  liable  to  any  other 
person  for  such  production.”  At  first  glance, 
this  would  seem  to  give  companies  immunity 
against  lawsuits  brought  by  angry  customers 
whose  data  has  been  given  to  the  government. 
But  there  is  enough  gray  here  to  make  a  rainy 
day  envious.  First  of  all,  organizations  that 
volunteer  information,  like  PADI  and  others 
have  done,  are  not  covered  by  this  legal  pro¬ 
tection,  since  the  safe  harbor  provision  in  the 
Patriot  Act  applies  only  to  companies  that 
receive  a  court  order.  Nor  is  the  FBI  legally 
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Taming  Big  Brother 


The  Defense  Department  will  have  to  wait  for  technology 
to  catch  up  with  its  vision  of  Total  Information  Awareness,  and 
that  may  be  a  good  thing 

The  most  concrete  manifestation  of  the  new  detect-and-deter  approach  was 
the  Department  of  Defense’s  Total  Information  Awareness  program,  a  data- 
mining  initiative  headed  by  former  National  Security  Adviser  John 
Poindexter.  As  originally  conceived  by  Poindexter,  the  program  would  have 
sorted  through  everything  from  grade-school  report  cards  to  medical  records  to 
video  rentals  in  an  effort  to  spot  potential  terrorists  before  they  strike. 

Congress,  however,  put  the  kibosh  on  Poindexter’s  grand  vision,  limiting  the 
scope  of  the  program  strictly  to  noncitizens.  Americans  will  not  be  subjected  to  the 
data-mining  program,  whose  logo— a  pyramid  topped  with  a  giant  eyeball  watch- 
ingthe  world— went  along  well  with  its  Orwellian  name. 

The  citizenry  need  not  worry  in  any  case.  According  to  data-mining  experts, 
technology  isn’t  even  close  to  doing  what  Poindexter  and  the  Defense  Department 
want  to  do.  Given  today’s  state-of-the-art  technology,  it  is  hard  enough  to  mine  two 
databases  simultaneously,  let  alone  the  tens,  hundreds  or  thousands  that  the  pro¬ 
gram  hopes  to  search.  Then  there  is  the  issue  of  teaching  the  software  what  to  look 
for— even  data-mining  programs  based  on  artificial  intelligence  have  to  be  told 
what  patterns  to  search  for.  It  took  credit  card  companies  decades  to  develop  the 
algorithms  they  use  to  detect  fraud.  The  government  faces  an  even  greater  chal¬ 
lenge  trying  to  understand  the  behavior  patterns  of  terrorists— particularly  given 
the  small  sample  size  from  which  to  learn.  So  far  one  of  the  only  distinct  transac¬ 
tional  similarities  among  the  19  Sept.  11th  hijackers  is  that  they  all  bought  a  lot  of 
pizza  using  credit  cards. 

"Even  under  a  nearly  perfect  system  you  get  false  positives,”  says  Larry 
Ponemon,  head  of  the  eponymous  Ponemon  Institute,  a  privacy  and  data  protec¬ 
tion  think  tank.  “That’s  where  you  infringe  on  people’s  privacy  and  maybe  their 
civil  rights.  You  can’t  have  the  convenience  [of  total  awareness]  without  expanding 
the  probability  of  a  false  positive."  And  the  possibility  that  hundreds,  perhaps 
thousands,  of  people  may  be  falsely  accused  of  terrorism.  -B.  W. 
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bound  by  a  verbal  agreement,  with  the  scuba 
divers’  association  or  any  other  organization, 
to  not  share  its  data  with  anyone  else.  In  fact, 
under  the  Homeland  Security  bill  passed  last 
fall,  the  FBI  is  required  to  share  data  with 
other  law  enforcement  agencies. 

Update  That  Privacy  Policy 

PADI  doesn’t  have  a  privacy  agreement  with 
its  members  that  says  what  it  will  and  won’t 
do  with  the  information  it  collects,  but  most 
companies  do.  An  informal  study  of  60  For¬ 
tune  100  companies’  privacy  policies  found 
that  1 1  make  no  mention  of  sharing  cus¬ 
tomer  information  with  the  government, 
even  though  many  companies  already  do. 
For  example,  Home  Depot’s  privacy  policy 
as  stated  on  its  website  says  it  will  share  cus¬ 
tomer  data  with  law  enforcement  to  “iden¬ 
tify  those  individuals  who  use  this  site  for 
fraudulent  or  other  illegal  activities.”  (Home 
Depot’s  policy  does  say  it  will  share  infor¬ 
mation  customers  submit  about  other  people 
“as  required  by  law”  and  “to  comply  with  a 
court  order  or  other  legal  process.”)  Forty- 
five  percent  of  companies  have  already  sup¬ 
plied  customer,  employee  or  business  partner 
data  to  government  or  law  enforcement  agen¬ 
cies,  according  to  a  December  2002  GSO 
magazine  (a  CIO  sister  publication)  survey  of 
797  organizations  (for  full  survey  results,  go  to 
www.  do.  com/printlinks ) . 

More  startling,  the  CSO  survey  found  that 
41  percent  of  respondents  said  they  are  will¬ 
ing  to  share  information  without  a  court 
order  if  they  believe  it  is  in  the  interest  of 
national  security.  But  this  eagerness  to  comply 
is  a  recipe  for  litigation,  since  volunteering 
data  is  quite  different  from  being  ordered  to 
divulge  information  by  a  court,  says  Larry 
Ponemon,  founder  and  senior  partner  of  the 
compliance  risk  management  practice  at 
PricewaterhouseCoopers  and  head  of  the 
Ponemon  Institute,  a  privacy  and  data  pro¬ 
tection  think  tank.  Companies,  he  says,  are 
putting  themselves  at  risk  “if  you  post  a  pri¬ 
vacy  policy  and  you  don’t  provide  for  every 
scenario  or  you  go  beyond  what  you  say.” 

Of  course,  any  potential  litigation  is  pred¬ 
icated  on  the  fact  that  customers  find  out 


that  their  data  is  being  shared,  which  under 
current  law  shouldn’t  happen.  One  West 
Coast  grocery  store  chain  is  counting  on  just 
that.  After  a  midlevel  marketing  manager 
on  his  own  initiative  gave  its  customer  data¬ 
base  to  the  FBI,  the  chain  weighed  publicly 
apologizing  to  its  customers  before  deciding 
to  keep  the  incident  secret  (the  company 
declined  to  be  interviewed  for  this  story). 

Laws,  however,  change.  “My  perception 
is  that  [the  Patriot  Act]  was  created  very 
quickly,  and  a  lot  of  the  issues  were  not  well 
thought  out,”  says  Ponemon.  “There  is  an 


appetite  for  increasing  public  safety  now. 
But  say  there  is  a  political  regime  change  or 
big  corporations  start  to  push  back.” 

The  Patriot  Act  could  change  if  the 
Democrats  win  back  the  Senate,  the  Supreme 
Court  rules  portions  unconstitutional  or  the 
nation’s  security  and  privacy  barometer 
shifts.  There’s  even  a  legal  precedent  for  large 
companies  to  be  sued  once  laws  change.  The 
Cato  Institute’s  Levy  says  there  are  notable 
examples  of  civil  proceedings  stemming  from 
changing  legislation,  including  tax  shelter 
lawsuits  and  the  large  tobacco  settlements. 
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Get  It  in  Writing 

Amending  your  privacy  policy  to  state  that 
you  will  give  information  to  law  enforce¬ 
ment  when  required  by  law  is  just  a  first 
step — and  a  small  one  at  that.  The  best  pro¬ 
tection  against  litigation  is  to  have  a  com¬ 
panywide  policy  that  explicitly  states  what 
happens  if  and  when  law  enforcement  asks 
for  data.  This  needs  to  be  set  at  the  executive 
level  and  distributed  to  every  employee. 

Charlie  Lathram,  vice  president  for  secu¬ 
rity  and  business  controls  for  BellSouth,  says 
that  the  first  part  of  every  good  policy  is  des¬ 
ignating  one  person  to  handle  law  enforce¬ 
ment  requests.  Last  year  the  telecommuni¬ 
cations  giant  received  32,370  subpoenas  and 
636  court  orders  for  customer  informa¬ 
tion — about  100  requests  a  day.  Due  to  the 
high  volume,  BellSouth  actually  has  an 
entire  request  response  team.  Employees  are 
trained  so  that  the  first  thing  they  do  when 
contacted  by  a  law  enforcement  agent  is  to 
redirect  that  person  to  the  team. 

Albert  Gidari,  a  Seattle-based  attorney 
with  Perkins  Coie  whose  clients  include 
AT&T  Wireless  and  Nextel,  companies  with 
a  long  history  of  complying  with  investiga¬ 
tions,  says  that  even  if  a  law  enforcement 
agent  says  it  is  an  emergency,  companies  need 
to  get  something  in  writing.  “It  can  be  on  the 
back  of  a  napkin  if  need  be,”  he  says.  Gidari 
has  been  involved  with  cases  where  law 
enforcement  agents  have  lied  about  their 
motives.  One  U.S.  attorney  said  he  needed 
information  to  investigate  a  terror  threat 
when  he  actually  was  looking  into  a  bank 
robbery.  Another  agent  asked  for  a  large 
amount  of  information  citing  a  bioterrorism 
threat  that  turned  out  to  be  a  drug  sting. 
“Getting  a  written  and  signed  document  pro¬ 
tects  you.  You  don’t  want  to  be  in  court  and 
have  a  he-said-she-said  argument,”  Gidari 
says.  “The  second  thing  is  the  public  relations 
outcry.  [When  you  get  it  in  writing]  you  can 
say,  ‘We’re  not  collaborating,  we  are  cooper¬ 
ating.’  The  press  will  not  be  upset  with  you 
but  with  the  agent  who  made  the  request.” 

For  Lathram,  just  having  it  in  writing  isn’t 
good  enough.  BellSouth  discloses  customer 
information  only  if  there  is  a  valid  court 


order  or  subpoena.  Determining  the  validity 
of  an  order  takes  some  special  knowledge. 
Not  all  subpoenas  are  legal.  For  example, 
about  20  states  can’t  issue  investigatory  or 
grand  jury  subpoenas,  while  others  can.  A 
valid  subpoena  must  contain  information 
such  as  where  it  was  issued  and  the  prose¬ 
cutor’s  name.  Complying  with  an  illegal  sub¬ 
poena  doesn’t  meet  the  “where  required  by 
law”  disclaimer  of  most  privacy  policies. 

Furthermore,  it  is  possible  to  question  a 
subpoena.  One  of  the  dive  shops  subpoenaed 
in  the  scuba  investigation  challenged  a  sub¬ 
poena  and  rather  than  go  to  court  (and  have 
the  investigation  entered  into  the  public  rec¬ 
ord),  the  FBI  simply  dropped  the  request.  Bell¬ 


South  challenges  subpoenas  it  deems  burden¬ 
some  and  voluminous.  One  request  asked  for 
all  the  incoming  calls  to  a  bank  during  a  90- 
day  period.  “In  essence  we  ask  the  court  to 
narrow  the  scope,”  says  Lathram.  “This  is 
not  an  adversarial  position.  We’re  just  trying 
to  understand  what  they  are  trying  to  get  at.” 

Sumitomo  Mitsui  Banking’s  McCormick 
says  that  financial  companies  can  be  fined 
under  the  Patriot  Act  if  they  do  not  respond 
to  requests  within  five  days.  Fortunately,  most 
law  enforcement  requests  deal  with  data  that 
is  six  to  12  months  old,  McCormick  says.  So 
he  makes  a  point  of  keeping  that  kind  of 
information  online.  Only  occasionally  does 
his  staff  have  to  scour  through  old,  poorly 


JEFF  COHEN,  CIO  of  JetBlue 
Airways,  spent  about  three  months 
building  a  system  that  could  match 
the  passengers  checking  in  with 
names  on  the  FBI’s  watch  list. 
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Our  VPN  solutions  keep  the  people 
that  matter  connected  wherever  they  are. 


If  you  want  your  business  to  grow,  you  need  to 
provide  your  stakeholders  with  secure  and  easy 
access  to  the  corporate  network.  But  the  drive  for 
growth  should  not  be  at  the  expense  of  network 
integrity.  Nokia  is  a  recognized  leader  in  VPN 
solutions  that  not  only  provide  secure,  reliable 
and  manageable  connections  to  those  who  need 
it,  but  also  save  time  and  money  in  deployment 
and  resource  allocation. 


NOKIA 

Connecting  People 


The  Nokia  system  approach  fully  integrates  best- 
of-breed  VPN  software  from  Check  Point  Software 
Technologies,  with  purpose-built  platforms  that 
are  easy  to  deploy  and  fully  backed  by  global,  24/7, 
First  Call  -  Final  Resolution  support.  This  means 
you  can  grow  your  business  without  compromising 
security,  so  that  you  can  slip  away  a  little  earlier. 
Go  on,  break  free.  Visit 
www.nokia.com/get_a_life/americas 
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indexed  tape  drives  to  find  data  that  is  more 
than  a  year  old. 

One  issue  that  CIOs  in  particular  need 
to  be  wary  of  is  that  their  staffs — the  indi¬ 
viduals  who  will  actually  be  collecting  and 
supplying  the  data — don’t  develop  a  rela¬ 
tionship  with  specific  law  enforcement 
agents  that  result  in  a  circumvention  of  the 
data-sharing  policy.  “More  and  more,  law 
enforcement  is  making  the  assumption  that 
companies  will  cooperate,”  says  Ponemon. 
“And  in  some  cases  they  may  be  getting 
sloppy.  By  the  time  [an  agent]  goes  back  to 
a  company  the  10th  time,  you  know  Joe 
and  that  he  can  pull  this  off.”  Ponemon  has 


going  through.  Thanks  to  earlier  investments 
in  a  middleware-intensive  infrastructure, 
McCormick  was  able  to  install  additional 
software  that  can  cross-check  names  on  fund 
transfers  against  government-supplied  watch 
lists  with  relative  ease.  He  purchased  the  cross¬ 
checking  software  package  from  Sybase — it 
costs  around  $500,000  for  large  financial 
companies — and  uses  a  previously  installed 
Sybase  E-Biz  Integrator  as  the  middleware. 

“Payment  flows  are  routed  to  E-Biz  and 
then  to  the  scanning  software,”  McCormick 
explains.  “Assuming  the  payment  is  accept¬ 
able,  the  message  is  then  routed  onward.  If 
the  payment  fails  any  of  the  required  scans, 


tions  is  considered  a  financial  company. 
Case  in  point:  Western  Union’s  $8  million 
ticket  was  the  first  fine  under  the  Patriot 
Act  and  the  largest  ever  for  a  money  trans¬ 
mitter,  even  though  it  doesn’t  fit  the  tradi¬ 
tional  definition  of  a  financial  company. 
Western  Union  spokeswoman  Wendy 
Carver  Herbert  blamed  IT  for  the  failure 
that  led  to  the  fine.  Financial  institutions 
are  required  to  report  whenever  someone 
makes  transfers  greater  than  $10,000.  West¬ 
ern  Union’s  IT  systems  couldn’t  tell  when  a 
single  person  was  making  multiple  transfers 
from  different  locations  totaling  $10,000, 
and  the  company  didn’t  have  plans  to  put 


It  is  up  to  the  ,  as  the  keeper  of  , 

to  make  sure  his  is  not  fi  led 


by  the  or  sued  by  its  customers. 


seen  this  firsthand.  Recently,  while  per¬ 
forming  a  risk  assessment  for  a  CRM  direc¬ 
tor  at  a  large  travel  company,  he  discovered 
that  the  employee  was  about  to  give  out 
new  information  under  an  old  court  order. 
“It  was  going  to  be  complied  with  until  I 
brought  it  to  her  attention,”  he  says. 

The  Cost  of  Sharing  Data 

Coming  up  with  and  enforcing  a  data- 
sharing  policy  is  relatively  straightforward. 
More  byzantine  are  the  technical  challenges 
of  sharing  this  data. 

There  is  no  doubt  that  financial  CIOs  have 
their  work  cut  out  for  them.  McCormick 
says  that  Sumitomo  Mitsui  has  to  scan  every 
incoming  and  outgoing  transaction  for 
names  of  people  and  institutions  on  several 
watch  lists,  and  stop  any  that  match  from 

CIO.COm  HOW  PRIVATE  IS 
YOUR  DATA  (AND  WHAT  ARE  YOU 
DOING  ABOUT  IT)?  You  might  compro¬ 
mise  customers'  privacy  to  fulfill  new  gov¬ 
ernment  mandates.  WEIGH  IN  with  your 
concerns  at  comment.cio.com/weighin. 


the  message  is  retained  for  investigation  and 
further  reporting.  This  architecture  does  not 
restrict  us  to  any  set  number  of  systems.  So 
if  there  were  new  requirements  for  scanning, 
it  would  not  be  difficult  to  integrate  those 
into  our  infrastructure.” 

But  for  a  company  without  an  infra¬ 
structure  that  can  easily  accommodate  the 
new  scanning  requirements,  the  costs  would 
be  much  higher.  “If  you  don’t  have  the  infra¬ 
structure  in  place,  good  luck,”  McCormick 
says.  “If  you  [search  for  suspicious  activity] 
manually,  you  are  in  deep  kimchi.  I  don’t 
think  the  government  cares  if  you  have  sys¬ 
tems  or  10,000  guys  going  through  10,000 
files,  but  at  a  certain  point  if  you  can’t  scale, 
you  are  going  down  a  slippery  slope.” 

Bill  Irving,  president  of  Antwerp,  Belgium- 
based  consultancy  Capco,  estimates  that  most 
financial  companies  will  have  to  spend 
$4  million  to  $5  million  retrofitting  their 
infrastructures  before  all  is  said  and  done. 

What  it  means  for  nonfinancial  compa¬ 
nies  is  less  clear.  “[The  Patriot  Act]  ex¬ 
panded  the  regulation  way  beyond 
commercial  banking,”  Irving  says.  Now  any 
company  that  processes  financial  transac- 


the  necessary  systems  in  place.  (It  now  will 
as  part  of  the  settlement.) 

Few  doubt  that  the  new  laws  will  expand 
the  government’s  reach  well  beyond  finan¬ 
cial  services.  But  so  far,  the  IT  costs  of  data 
sharing  are  mostly  anecdotal.  JetBlue  Air¬ 
ways  spent  about  three  months  building  a 
system  that  could  match  the  passengers 
checking  in  with  names  on  the  FBI’s  watch 
list,  says  Vice  President  and  CIO  Jeff  Cohen. 
That  project  included  rewriting  large  pieces 
of  the  code  for  its  reservation  system.  Fath- 
ram  says  BellSouth  will  run  up  some  signifi¬ 
cant  costs  making  its  communications 
infrastructure,  including  optical  phone  and 
data  lines,  compatible  with  next-generation 
wiretapping  tools  so  that  the  telecom  can 
comply  with  the  new  requirements. 

Even  so,  the  future  of  data  sharing  for 
national  security  purposes  remains  fuzzy. 
“[Government  agents]  don’t  know  what 
they  need  yet,”  Fathram  says. 

So  for  now,  they  are  asking  for  every¬ 
thing.  [313 


Send  your  feedback  to  Staff  Writer  Ben  Worthen  at 
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Utility  Computing 


Utility  computing  promises  processing 
power  when  you  need  it,  where  you  need  it. 
But  the  technology  isn’t  making  sparks  fly  yet. 
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TILITY  COMPUTING:  Who  would  have  thought  that  a  technology 
with  such  a  pedestrian  label  would  become  a  top  IT  story? 

During  the  past  two  years,  most  of  the  leading  IT  services 
companies  have  announced  initiatives  with  that  unprepos¬ 
sessing  name.  All  the  products  and  services  sold  under  that 
banner  appeal  to  a  common  vision:  computing  tasks  buying 
what  they  need  and  only  what  they  need,  automatically,  from  a  huge  pool  of 
interoperable  resources  (potentially  as  large  as  the  whole  Internet).  Each  task 
or  transaction  would  have  an  account  and  a  budget  and  would  run  up  payables; 
every  resource  would  record  and  collect  receivables.  Computing  power  would 
be  as  easy  to  access  as  water  or  electricity.  While  the  products  and  services 
currently  being  introduced  under  utility  computing  do  not  go  this  entire  dis¬ 
tance,  they  move  a  long  way  in  that  direction. 
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Consider  American  Express  Executive  Vice  President  and 
CIO  Glen  Salow’s  situation.  Like  many  companies,  when 
AmEx  introduces  a  new  product,  that  action  typically  triggers 
traffic  surges  back  onto  the  enterprise  network.  Some  of  that 
traffic  will  support  marketing  efforts,  some  technical  support 
and  some  the  service  itself,  such  as  executing  an  online  trans¬ 
action.  It  is  critical  that  adequate  resources  be  in  place  to  sup¬ 
port  that  service,  particularly  during  the  early  days  of  an 
introduction.  Yet  calculating  ahead  of  time  what  this  demand 
surge  will  be  is  almost  impossible. 

To  date,  all  a  CIO  could  do  was  overprovision,  but  as  Salow 
points  out,  that  imposed  a  double  penalty:  paying  more  than 
was  technically  necessary  and  waiting  for  the  new  equipment 
to  be  installed  and  tested.  “I  don’t  want  to  tell  marketing  that 
I  need  six  months  to  have  the  infrastructure  in  place,”  he  says. 
So  Salow  took  a  different  approach  and  structured  a  deal  with 
IBM  Global  Services  to  buy  storage  and  processing  for  deliv¬ 
ery  over  a  network,  per  increment  of  traffic  demand.  That  is 
not  utility  computing  in  the  purest  sense,  since  resource  pro¬ 
curement  is  not  calculated  automatically  or  per  transaction. 
But  the  term  still  applies  because  of  the  much  tighter  fit  it 
allows  between  the  provisioning  and  demand  curves.  The 


Utility  Computing’s 
Long-Term  Effects 

Utility  computing  resources  abound 

Utility  computing  is  an  unassuming  term  for  a  big  idea: 
an  architecture  in  which  network  management  has  been 
reduced  to  the  smallest  practical  units  of  measure.  At  the 
extreme,  individual  operations  would  bid  for  the  resources 
they  needed  and  pay  for  only  those  resources  consumed— 
all  automatically.  Resource  distribution  would  become 
more  efficient,  and  management  time  would  be  conserved. 

This  would  work  best  in  an  environment  in  which  re¬ 
sources  are  freely  convertible,  and  at  the  moment  nothing 
is  further  from  the  case.  One  way  of  getting  some  of  the  ben¬ 
efits  of  the  idea  is  to  have  services  delivered  on-demand 
over  a  network.  Another  is  to  dedicate  an  internal  machine 
to  a  utility  computing  environment.  A  third  is  to  break  off  a 
specific  service,  such  as  storage  or  Web  serving,  and  oper¬ 
ate  those  on  an  on-demand  basis.  Whichever  road  is  taken, 
the  long-term  effects  on  the  nature  of  the  CIO’s  role  will  be 
to  move  the  office  away  from  a  focus  on  hardware  to  main¬ 
taining  markets,  both  internal  and  external.  One  source  of 
developing  news  on  the  topic  is  the  online  magazine  Grid 
Infoware,  found  at  www.gridcomputing.com.  -F.H. 


advantages  of  utility  computing  are  self-evident:  Resource  use 
becomes  more  efficient,  and  because  resource  changes  are 
automatic  or  at  least  highly  automated,  it  also  conserves  man¬ 
agement  time.  By  contrast,  the  current  system — in  which  IT 
hooks  up  and  exhausts  large  blocks  of  resources  in  a  general 
free-for-all,  at  which  point  another  large  block  is  trucked  in 
and  wired  in  place — looks  antediluvian.  On  paper,  at  least,  the 
case  for  the  transition  to  utility  computing  seems  compelling. 

A.K.A.  Outsourcing? 

Unfortunately  it  is  very  hard  to  get  from  here  to  there.  Com¬ 
panies  assemble  current  systems  out  of  silos  of  resources,  which 
they  then  fine-tune  to  local  operating  requirements.  Some  of 
those  resources  sit  inside  the  firewall  and  some  outside;  some 
run  under  Unix  and  some  under  Windows;  and  some  are  PCs 
and  some  are  Macs.  “Suppose  an  application  is  qualified  on 
Solaris  8,”  says  Peter  Jeffcock,  group  marketing  manager  for 
Sun  Microsystems.  “Finding  a  processor  running  Solaris  7  will 
not  be  helpful.”  He  compares  imposing  utility  computing  on 
the  average  network  to  trying  to  build  an  electrical  power  mar¬ 
ket  if  every  state  generated  a  different  brand  of  electricity. 

As  a  result,  many  vendors  are  selling  what  might  be  thought 
of  as  “outsourced  utility  computing,”  in  which  they  provide 
resources  over  the  Internet,  matching  delivery  to  demand  at 
least  semiautomatically,  perhaps  through  a  webpage.  One 
appeal  of  such  services  is  their  level  of  automation.  Mobil  Travel 
Guide  is  developing  a  complicated  new  mapping  service,  Mobil 
Companion,  that  will  support  a  high  level  of  interactivity 
between  travelers  and  facilities  such  as  hotels,  parks  and  muse¬ 
ums.  (For  instance,  tourists  planning  a  journey  will  be  able  to 
buy  tickets  and  make  reservations  along  their  intended  route 
with  a  few  clicks.)  But  the  service  will  be  intensely  transactional 
and  prone  to  unpredictable  peaks.  “I  needed  a  whole  new  archi¬ 
tecture,”  says  CIO  Paul  Mercurio,  “but  I  also  needed  to  focus 
my  development  team  and  spend  my  money  on  the  product, 
not  on  building  the  network.”  So  in  October  2002,  Mercurio 
started  buying  networking  resources  from  another  virtual  util¬ 
ity  computing  service,  Virtual  Linux  Server,  also  from  IBM. 

Unlike  AmEx’s  Salow,  Mercurio  is  willing  to  accept  a  higher 
degree  of  dependence  on  his  vendor.  He  says  his  level  of  com¬ 
fort  springs  in  part  from  his  background  in  travel  reservation 
services,  which  have  been  using  utility  computinglike  services 
for  years — travel  companies  generally  pay  for  resources  not 
by  reserving  blocks  of  capacity  ahead  of  time  (and  still  less  by 
wiring  in  hardware)  but  by  the  transaction.  Mercurio  expects 
utility  computing  to  move  to  that  same  model.  “In  10  years  we 
won’t  be  needing  database  administrators,”  he  speculates. 
“Each  transaction  will  just  buy  the  resources  it  needs.” 

Some  companies  even  plan  to  move  almost  entirely  to  the 
outsourced  utility  computing  model.  Recently,  Inpharmatica,  a 
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British  pharmaceutical  company,  finished  participating  in  a 
utility  computing  pilot  program  just  launched  by  Gateway. 
“Two  to  three  years  ago,  we  built  a  2,300-plus  processor  com¬ 
pute  farm  with  25  terabytes  of  storage,”  says  Inpharmatica 
CIO  Pat  Leach.  “Building  it  was  very  interesting  stuff,  but  we 
are  a  drug  discovery  company,  not  an  IT  shop.  We  would 
much  rather  employ  people  to  do  innovative  analysis  than 
spend  time  building  computers.  As  demand  exceeds  capacity, 
I  hope  to  use  compute-on-demand  to  top  up  and  eventually 
replace  our  compute  farm.” 

Profitable  Utility 

Utility  computing  by  its  nature  is  antagonistic  to  the  idea  of 
drawing  a  high  contrast  line  between  local  and  external 
resources;  if  all  resources  are  interoperable,  a  transaction  should 
never  need  to  know  whether  the  processing  it  buys  comes  from 
inside  or  outside.  Keith  Morrow,  CIO  of  7-Eleven,  buys  pro¬ 
cessing  cycles  and  storage  capacity  from  EDS.  However,  he 
plans  to  extend  the  concept  internally  by  offering  the  same  rela¬ 
tionship  to  7-Eleven’s  divisions,  departments  and  franchisees. 


He  would  like  to  buy  processing  cycles  and  stor¬ 
age  capacity  from  EDS,  use  those  to  support  appli¬ 
cation  processes,  and  then  sell  access  to  those 
processes  internally  on  a  per-transaction  basis.  The 
end  user  would  not  know — and  have  no  reason  to 
know — he  was  buying  a  composite  product. 
(Morrow  is  moving  a  step  closer  in  another 
respect:  He  lets  his  system  buy  its  own  storage;  all 
he  asks  is  that  his  network  send  him  a  monthly 
report  detailing  its  purchasing  decisions.  He  still 
orders  processing  manually,  since  that  resource 
comes  in  pricier  units.) 

The  idea  of  IT  becoming  a  profit  center  may 
seem  strange,  but  it  seems  like  an  inevitable  con¬ 
sequence  of  the  transition  to  utility  computing. 
Gateway,  for  instance,  has  a  tremendous  number 
of  demo  machines  and  training  workstations 
doing  nothing  in  hundreds  of  stores,  most  of 
which  have  T1  data  lines  already  hooked  up. 
Recently  the  company  connected  about  8,000  of 
those  machines  (using  a  United  Devices’  Meta- 
Processor  platform)  into  the  previously  mentioned 
on-demand  service  that  can  deliver  an  astonish¬ 
ing  14  teraflops,  making  it  one  of  the  faster 
machines  in  the  world.  (One  of  the  advantages  of 
buying  processing  from  computer  vendors  is  that 
as  they  upgrade  their  stock,  that  performance 
number  will  rise  automatically.)  According  to  Bob 
Burnett,  executive  vice  president  and  CTO  of 
Gateway,  its  big  concern  was  having  the  retail  side 
of  operations  be  completely  unaffected.  “We  were  striving  for 
an  obtrusiveness  of  zero,”  he  says — and  he  got  it. 

Local  Utility 

One  way  of  bringing  utility  computing  inside — given  the  huge 
incompatibilities  that  exist  in  most  established  networks — is  to 
dedicate  a  special  computer  to  the  task.  Several  companies,  such 
as  Hewlett-Packard,  Inkra  and  Opsware,  sell  software  that  will 
partition  a  computer  (often  a  mainframe)  into  several  perfectly 
interoperable  environments,  keep  track  of  resource  use  on  a 
per-transaction  basis  and  bill  accordingly.  If  a  transaction 
requires,  say,  an  unusual  operating  system,  that  OS  can  boot  in 
its  partition  to  support  just  that  transaction.  Cognigen,  a  data 
analysis  and  consultancy  for  the  biotech  and  health-care  indus¬ 
tries,  recently  bought  some  utility  computing  software  from 
Sun,  the  Sun  Grid  Engine,  that  performs  this  seeming  magic. 

According  to  Darcy  Foit,  director  of  IS  at  Cognigen,  the 
problem  that  inspired  the  purchase  was  the  need  to  optimize 
execution  of  a  critical  program  that  did  not  share  processor 
time  well.  The  Grid  Engine  gave  Cognigen’s  scientists  a  running 


72  CIO  APRIL  15,  2003  •  www.cio.com 


Monica 

Change  the  tone™ 


Now  you  can  produce  better,  faster,  more  affordable  color  documents  -  with  the 
50  page-per-minute  ColorFORCE ’  and  the  complete  line  of  color  printers  and  copiers  from 
Konica.  It's  revolutionary  technology  that  can  change  the  whole  tone  of  your  business. 

Visit  www.coiorforce.com  for  a  closer  looii  i  .1-80O-2-KONICA. 

ColorFORCE  and  'Change  the  tone'  are  trademarks  of  Konica  Business  Technologies,  Inc. 


Utility  Computing 


view  of  and  access  to  all  processors  on  their  LAN,  letting  them 
monitor  and  schedule  their  tasks  more  efficiently.  “Since  imple¬ 
mentation,”  Foit  says,  “each  scientist  has  had  an  average  of  an 
extra  hour  of  work  time.”  (Previously  that  much  time  was 
wasted  waiting  for  processors  to  free  up.) 

Foit  says  he  is  now  thinking  of  taking  the  natural  next  step: 
using  the  Grid  Engine  to  offer  a  specialized  virtual  computing 
service  to  external  clients.  Unlike  Gateway,  which  will  talk 


almost  inevitably  disrupt  established  chargeback  practices.  In 
most  organizations,  IT  has  tried  to  stay  out  of  the  highly 
volatile  business  of  taking  money  away  from  people. 

“You  go  into  an  organization,  and  IT  will  tell  you,  ‘We  don’t 
do  chargebacks — accounting  takes  care  of  that.’  They’re  think¬ 
ing  of  themselves  as  technical  people,  not  businesspeople,”  says 
Kevin  Vitale,  CEO  of  Ejasent,  which  makes  utility  computing 
tools.  Vitale  expects  utility  computing  to  change  that,  not  just 


er,  at  least,  the  case  for  the  transition 
ility  computing  seems  compelling. 


with  anyone,  Foit  plans  to  stay  within  bioinformatics.  “Bio 
companies  often  need  to  do  validation  runs  on  their  comput¬ 
ing  work,”  he  says,  “and  perhaps  validation  by  its  nature  is 
done  best  by  an  independent  company.” 

Daunting  Challenges 

Those  cases  might  seem  like  baby  steps  set  against  the  utility 
computing  utopia — in  which  any  operation  has  access  to  any 
resource — but  even  they  are  not  without  problems.  The  pri¬ 
mary  issue  for  most  CIOs  will  be  how  much  control  they  lose 
when  renting  or  borrowing  resources  instead  of  owning  them, 
says  AmEx’s  Salow.  He  notes  that  he  has  some  concern  that 
either  the  utility  computing  vendor  or  the  relationship  itself  will 
end  up  influencing  the  development  of  a  company’s  network, 
perhaps  by  biasing  procurement  decisions  toward  the  supplying 
vendor’s  products.  He  says,  however,  that  so  far  the  service, 
which  started  in  March  2001,  has  not  raised  any  of  those  flags. 

In  some  companies,  moving  procurement  out  of  the  capital 
and  into  the  operating  line  item  might  not  be  simple  either.  Many 
CIOs  will  worry  about  the  security  risk  of  moving  critical  data 
onto  external  machines,  though  Inpharmatica’s  Leach  thinks  the 
problem  is  manageable.  “I  think  the  security  issue  is  overstated,” 
he  says.  “Outsourcing  is  common  practice.  The  United  Devices/ 
Gateway  facility  is  just  a  step  along  the  same  road.”  He  says  the 
issue  for  many  companies  will  be  whether  to  buy  an  expensive 
kit  that  is  completely  under  their  control  or  use  a  trusted  third 
party  and  save  money.  “I  think  that  many  small  and  midsize 

companies  will  choose  the  latter 
and  be  more  competitive  than  their 
larger,  more  conservative  competi¬ 
tors,”  he  says. 

One  of  the  tougher  transition 
issues  is  not  technical  at  all,  but 
cultural  and  political.  A  general 
introduction  of  charge-by-use  will 
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because  it  produces  a  specific,  very  detailed  invoice,  but  because 
IT  generates  the  bill.  “CIOs  are  going  to  have  to  wrestle  with 
issues  of  chargeback  fairness,”  he  says.  “They  are  going  to  have 
to  start  thinking  of  information  technology  as  a  business 
resource,  not  just  as  something  to  be  kept  in  running  order.” 
Nick  van  der  Zweep,  director  of  utility  computing  for  HP,  puts 
the  point  this  way:  “IT  people  will  be  people  who  manage  serv¬ 
ices  as  opposed  to  people  who  work  with  wires  and  boxes.” 

Moving  to  Utopia 

It  is  worth  noting  that  all  this  energy  is  being  devoted  to  merely 
a  halfway  version  of  utility  computing.  Down  the  road  the 
utility  computing  relationship  will  not  be  with  a  certain  vendor 
or  a  specific  mainframe  but  with  the  whole  Internet.  Every 
piece  of  the  network  will  participate  in  a  huge  free  market, 
buying  and  selling  what  it  needs  as  it  needs  it.  CIOs  will  come 
to  work  to  find  hard  drives  and  RAM  that  their  systems 
bought  through  eBay.  IT  will  become  a  revenue  stream,  selling 
itself  overnight  to  buyers  in  other  time  zones. 

Perhaps  that  vision  is  in  part  a  fantasy,  though  a  recent 
experiment  by  HP,  in  which  the  company  implemented  its  util¬ 
ity  computing  software  on  the  Grid  (a  worldwide  research 
network  specifically  designed  to  explore  ideas  in  large-scale 
distributed  computing)  seems  like  a  big  step  in  that  direction. 
And  if  it  is  only  a  fantasy,  it  is  at  least  a  long-standing  one. 
For  years,  information  scientists  have  been  suggesting  that 
without  such  a  flexible  and  bottom-up  system  of  provision¬ 
ing,  the  growing  complexity  of  networks  will  eventually  con¬ 
sume  exponentially  larger  amounts  of  resource  and 
management  time.  Since  there  seems  to  be  no  end  to  increased 
complexity,  it  follows  that  we  will  eventually  find  our  way, 
like  it  or  not,  to  pure  utility  computing.  BE] 


Fred  Hapgood  is  a  freelance  writer  based  in  Boston.  He  can  be  reached  at 
hapgood@pobox.  com . 
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management  solutions  from  Primavera, 
executives,  managers  and  all  team 
members  have  valuable  insights  into 
performance  and  resource  priorities  at 
every  stage  of  the  project  life  cycle. 

Primavera  provides  the  clearest  real¬ 
time  project  portfolio  management  and 
analysis  solutions  ever  developed.  Now 
you  can  have  the  vision  to  see  what's  coming, 
the  focus  to  ensure  accountability,  and  the 
insight  to  analyze  your  R.O.I. 

With  Primavera,  you  can  have 
the  20/20  foresight  necessary  to 
bring  your  business  strategies— 
and  your  company's  success- 
into  sharp  focus. 
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Get  your  FREE  copy  of  "Achieving  Your  Vision: 

Aligning  IT  Investment  with  Business  Strategy."  Learn  how 
to  integrate  the  most  effective  project  management  system  ever 
developed  with  this  compilation  of  dynamic  theory  and  real-life 
practical  applications  as  reported  by  industry  experts. 

Sharpen  your  competitive  edge  now  at 

www.primavera.com/vision 
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Critical 


Corporate  accountability  has  Washington’s  attention,  and  now  the 
auditors  have  their  pencils  sharpened  for  IT  processes  and  projects. 
Here  are  nine  strategies  for  working  with  auditors  before,  during  and 
after  an  accounting  exam.  by  geoffrey  james 


And  That  Co  d  Be 


This  would  keep  you  up  at  night: 

You’re  the  CIO  of  a  credit  union,  and  on  Friday  night  you  get 
an  e-mail  from  a  customer  suggesting  that  you  check  your 
company’s  electronic  banking  site.  You  open  a  browser  and 
discover,  plastered  across  the  homepage  in  gigantic  crimson 
letters,  a  very  famous  four-letter  word.  You've  been  hacked! 
You  quickly  phone  your  website  outsourcer,  only  to  discover 
that  everyone  has  left  for  a  long  weekend.  Meanwhile,  your 
browser  is  emitting  more  “You’ve  Got  Mail”  chirps,  letting 
you  know  that  your  new  corporate  message  is  not  going 
unnoticed. 

Sound  bad?  It  gets  worse.  During  the  inevitable  meeting 
with  top  management  to  explain  how  this  happened,  you 
discover  that  your  external  auditors— the 
bean  counters  you've  ignored  for  the  past 
six  months— have  just  reminded  the 
board  of  directors  that  this  never  would 
have  happened  if  you  had  listened  to 
their  advice  about  systems  security.  So 
now  this  act  of  website  vandalism  makes 
it  appear  to  your  CEO  that  the  account¬ 
ants  can  do  your  job  better  than  you. 

Fortunately,  the  CIO  who  suffered 


through  that  scenario  did  hang  on  to  his  job.  (Find  out  how 
later  in  the  article.)  But  the  lesson  is  clear:  In  the  wake  of 
business  scandals  and  ongoing  pressure  to  contain  corpo¬ 
rate  costs,  the  accountants  are  coming,  and  they’re  gunning 
for  the  IT  group.  Both  internal  auditors  and  outside  certified 
public  accountants  are  focusing  on  IT  processes  like  IT 
security,  not  just  the  results  of  individual  IT  projects.  In 
some  cases,  they  are  bringing  technical  experts  with  them. 

Adding  to  a  sense  of  urgency,  regulators  are  getting 
involved  on  both  sides  of  the  CIO-auditor  relationship.  The 
audited  results  of  some  corporations  are  finding  their  way  to 
CIOs’  desks:  Some  companies  are  asking  their  CIOs  to  sign 
off  on  their  financial  statements  to  comply 
with  the  Sarbanes-Oxley  Act,  which  seeks  to 
ensure  the  accuracy  of  financial  statements. 
And  under  the  same  law,  the  Securities  and 
Exchange  Commission  in  January  mandated 
that  accounting  firms  must  retain  for  seven 
years  records  (including  electronic  records) 
relevant  to  audits  they  perform. 

For  a  CIO,  it  all  adds  up:  Prepare  to  answer 
more  questions,  in  more  detail,  than  ever  before. 


Reader  ROI 

►  Tips  for  cooperating  with 
auditors 

►  Howto  use  auditors  to 
improve  IT  procedures  and 
assess  risks 

►  Mistakes  to  avoid  on  your 
company’s  accounting 
ledgers 
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But  while  this  increased  scrutiny  takes  up  important  staff  time  and 
represents  a  challenge  to  the  CIO,  it’s  also  an  opportunity.  CIOs  can 
use  auditors’  analyses  to  improve  their  processes,  to  assess  and  man¬ 
age  risks,  and  identify  problem  areas.  Here  are  nine  strategies  for 
surviving  the  auditing  process  with  the  auditors  working  with  you, 
not  against  you. 


SURVIVAL  STRATEGY 


1.  Know  that  the  world  has 
changed.  No  one  believes  IT 
is  a  superhero. 

IN  THE  PAST,  both  the  external  auditors  (the  CPAs  who  check  a 
company’s  books)  and  internal  auditors  (who  work  with  manage¬ 
ment  to  ensure  compliance  with  accounting  standards)  tended  to 
view  IT  with  awed  respect.  But  that’s  no  longer  true,  says  Jeffrey 
Ward,  a  partner  at  Clifton  Gunderson,  a  CPA  and  consulting  com¬ 
pany.  (Ward’s  auditing  practice  pointed  out  the  security  glitch  in 


the  website  defacement  scenario.) 

“We’ve  lost  the  blind  faith  that  technology  experts  know  what 
they’re  doing,”  Ward  says.  At  the  same  time,  the  pervasiveness  of 
computing  has  made  the  CIO  a  key  person  in  nearly  every  auditing  sit¬ 
uation.  “CIOs  are  being  held  much  more  accountable  for  what’s  going 
on  at  an  increasing  number  of  levels  in  the  typical  corporation  because 
IT  support  is  integral  to  almost  all  financial  and  nonfinancial  activi¬ 
ties,”  he  adds. 

The  sudden  auditor  skepticism  about  the  godlike  status  of  IT  is  a 
direct  result  of  the  dotcom  crash  and  the  corporate  accounting  scan¬ 
dals  of  the  past  two  years,  according  to  Jack  Cooper,  who  until  a 
year  ago  was  CIO  at  pharmaceutical  maker  Bristol  Myers  Squibb. 
Cooper,  who  now  heads  supply  chain  consultancy  JM  Cooper  and 
Associates,  serves  on  the  audit  committee  (a  subset  of  the  board  of 
directors)  for  two  publicly  held  companies.  He  says  that  Sarbanes- 
Oxley  “gives  audit  committees  an  enormous  responsibility  to  ensure 
that  companies  are  correctly  managing  risks  and  fully  disclosing  all 
relevant  information.”  Cooper  notes  that  one  of  those  risks  involves 
the  day-to-day  performance  of  the  IT  function.  “The  auditors  are 
going  to  make  certain  that  CIOs  are  doing  everything  possible  to  pre¬ 
vent  an  unforeseen  disaster,”  he  says. 


At  J.C.  Penney,  IT  Audit 
Manager  Ken  Askelson  (left) 
enters  talks  about  new 
systems  early  with  CIO 
Steve  Raish  to  ensure  that 
they  produce  reliable  data. 
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2.  Make  auditors  part  of 
the  management  team. 
Consider  them  friends. 

CIOS  SHOULD  NEVER  TREAT  the  auditors  as  adversaries,  warns 
Steve  Raish,  CIO  at  retailer  J.C.  Penney.  “I  believe  that  it’s  important 
for  IT  managers  to  take  a  proactive  approach  to  working  with  audi¬ 
tors,  getting  them  appropriately  involved  even  in  the  design  stage  of 
new  systems,”  he  says.  J.C.  Penney,  for  example,  has  had  a  policy  for 
many  years  that  internal  auditors  must  be  involved  in  every  phase  of 
a  project’s  development.  Under  Raish’s  leadership  they  are  frequently 
called  in  as  consultants  on  key  issues  such  as  security  and  reliability. 

This  proactive  approach  greatly  lessens  the  likelihood  of  audit 
difficulties,  according  to  Ken  Askelson,  an  IT  audit  manager  at  J.C. 
Penney  who  heads  the  group  responsible  for  monitoring  the  activi¬ 
ties  of  the  retailer’s  IT  teams.  “I  can’t  count  how  many  times  IT  pro¬ 
fessionals  in  this  firm  have  called  me  in  to  meetings  to  discuss  the 
implications  of  a  new  system  or  procedure,”  he  says.  This  policy  of 
early  participation  has  allowed  Askelson  to  contribute  his  perspec¬ 
tive,  for  example,  to  the  policies,  procedures  and  internal  controls 
required  for  applications  that  process  accounting  records.  “Our  par¬ 
ticipation  helped  ensure  data  validity  and  integrity,”  he  says. 
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3.  Communicate. 

Provide  auditors  with  a 
full  understanding  of  the 
IT  department  and  its 
responsibilities. 

COOPERATING  WITH  AUDITORS  means  communicating — a  lot. 
“The  most  important  things  that  a  CIO  can  do  in  working  with 
internal  and  external  auditors  is  be  involved,  to  be  supportive,  and 
to  be  open  and  honest  in  all  situations,”  says  Lisa  Harris,  senior 
vice  president  and  CIO  at  Gevity  HR,  a  human  resources  outsourc¬ 
ing  company.  “An  independent  view  of  a  system,  a  process  or  a  con¬ 
trol  can  only  help  CIOs  more  effectively  support  their  companies.” 

Cooperation  is  a  must  if  a  CIO  wants  to  avoid  unpleasant  sur¬ 
prises  during  an  audit,  says  David  Goltz,  who  recently  served  as  act¬ 
ing  CIO  and  CFO  at  Destiny  Health,  a  health-care  insurance  carrier. 
“I  have  been  involved  at  Destiny  in  more  than  one  instance  where  a 


bug  in  a  program  was  fixed  so  that  it  worked  going  forward,  but  the 
old  data  was  inaccurate,”  says  Goltz,  who  is  now  president  and 
COO  at  a  health-care  startup.  “The  easy  fix  was  to  alter  the  historic 
data  because  reprocessing  would  have  been  a  huge  burden.” 

Unfortunately,  the  programming  staff  neglected  to  inform  the 
accounting  staff  (and  through  them  the  auditors)  that  changes  had  been 
made  to  the  database.  “When  the  auditors  went  into  the  system  to  test 
and  verify  the  hard  copy  reports  that  the  numbers  on  the  books  were 
based  on,  they  couldn’t  get  it  to  tie  out,”  says  Goltz.  “And  when  they 
discovered  that  the  data  had  been  altered,  the  entire  process  became 
suspect,  which  resulted  in  multiple  hours  of  work  pulling  original  doc¬ 
umentation  to  see  that,  in  fact,  the  ultimate  numbers  were  accurate.” 


SURVIVAL  STRATEGY 


4.  Seek  auditors’  help  in 
evaluating  business  risks. 

THE  SEPT.  11  TERRORIST  ATTACKS  had  a  major  impact  on  auditors’ 
agendas,  says  Cooper.  “Audit  committees  now  have  a  broad  man¬ 
date  to  ensure  that  the  integrity  of  the  company  is  maintained.  A  war 
between  India  and  Pakistan  could  have  a  severe  impact  on  some 
companies’  ability  to  compete,”  he  says.  “Audit  committees  are  now 
responsible  for  ensuring  that  the  CIO  is  taking  steps,  such  as  mov¬ 
ing  key  IT  functions  back  to  the  United  States,  in  order  to  offset 
those  risks.” 

Today’s  world  demands  extensive  disaster  recovery  planning, 
according  to  Bob  Wischnowsky,  who  as  CTO  at  FleetBoston  Finan¬ 
cial  has  responsibility  for  the  company’s  entire  computing  infra¬ 
structure.  “Auditors  want  to  be  certain  that  a  company’s 
infrastructure  can  survive  even  an  attack  that  might  cripple  an  entire 
metropolitan  area,”  he  says.  “They  won’t  be  satisfied  with  some 
outdated  plans  that  were  made  back  in  the  pre-Y2K  days.”  Don 
Cyr,  a  deputy  auditor  at  FleetBoston  Financial,  says  his  auditing  col¬ 
leagues  and  their  compatriots  in  FleetBoston’s  IT  groups  have 
strengthened  their  partnership  on  internal  audits  since  9/11. 


SURVIVAL  STRATEGY 


5.  Let  the  auditors  in.  Give 
them  access  to  strategic 
plans,  documentation, 
security  logs  and  test  results. 

IT’S  NOT  UNUSUAL  for  IT  groups  to  lack  the  information  that  audi¬ 
tors  need  to  evaluate  them,  Ward  says.  He’s  encountered  compa- 
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nies  whose  tools  were  outdated  and  that  couldn’t  provide  even  basic 
security  data.  Another  time  he  requested  wiring  schematics  of  the 
data  center.  “They  hemmed  and  hawed  and  three  days  later  came  up 
with  some  handwritten  diagrams,  which  were  wrong,”  he  says. 

CIOs  are  sometimes  guilty  of  not  taking  issues  such  as  security 
seriously  enough,  according  to  David  Foote,  president  of  Foote  Part¬ 
ners,  an  IT  management  research  company.  “When  the  security  func¬ 
tion  reports  through  the  IT  infrastructure,  the  CIO  often  doesn’t 
want  to  be  seen  as  the  ‘enforcer,’  and  thus  there’s  a  tendency  to  say, 
We’ll  worry  about  security  later,”  Foote  says. 

Instead,  CIOs  need  to  use  the  auditors  to  help  create  greater  aware¬ 
ness  of  security  issues,  says  Vince  Laino,  who  serves  as  both  CIO  and 
CFO  at  environmental  consultancy  Weston  Solutions.  Laino  believes 
that  CIOs  shouldn’t  be  afraid  to  use  the  authority  of  the  auditors  to 
force  security  issues  and  cites  a  case  at  his  own  company  where  audi¬ 
tors  demanded  that  all  terminals  lock  up  if  left  unattended  for  15  min¬ 
utes  or  more.  “The  end  users  hated  it,”  he  says.  “But  once  I  explained 
that  failure  to  comply  might  result  in  a  failed  audit  and  consequent 


loss  of  our  government  contracts,  everyone  fell  into  line.” 

In  other  words,  if  you  need  to  play  the  good  cop,  let  the  auditors 
play  the  bad  cop. 
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6.  Alert  auditors  to  new 
IT  implementations. 

Get  projects  on  the  books 
accurately. 

KEEPING  THE  AUDITORS  IN  THE  LOOP  for  new  development  projects 
helps  ensure  smooth  audits  because  auditors  can  provide  advice  on 
security  and  reliability  early  in  the  game,  making  it  easier  to  include 
appropriate  controls  and  procedures.  However,  there’s  another  rea- 


FleetBoston  Financial  CTO  Bob  Wischnowsky  (right)  says  that  collaboration  with  colleagues  like  Deputy  Auditor  Don  Cyr 
improves  the  quality  of  IT  applications  by  addressing  policies,  such  as  records  retention,  early  in  the  development  process. 
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son  to  get  the  auditors  involved  up  front:  proper  accounting  for  IT 
projects. 

According  to  accounting  standards,  short-term  projects  such  as 
system  maintenance  are  supposed  to  be  expensed  in  full  during  the 
current  year  (like  a  utility  bill)  while  projects  with  long-term  impact 
are  supposed  to  amortize  over  several  years  as  a  capital  expendi¬ 
ture  (like  constructing  a  new  office).  “The  difference  can  have  an 
enormous  effect  on  the  reported  profit  of  a  company,”  explains 
Goltz,  the  former  Destiny  Health  CIO.  However,  because  the  bound¬ 
ary  between  those  two  types  of  IT  work  is  often  unclear,  CIOs  have 
been  known  to  be  pressured  into  accounting  for  a  short-term  proj¬ 
ect  as  if  it  were  a  long-term  expense.  If  recorded  improperly,  the 
company’s  accounting  records  don’t  accurately  reflect  its  financial 
health.  Keeping  auditors  apprised  on  major  projects  helps  ensure 
that  all  IT  work  is  recorded  appropriately. 

It  also  keeps  you  out  of  trouble. 
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7.  Get  auditors  to  help  you 
understand  when  to  cache  it 
and  when  to  trash  it. 

AS  PREVIOUSLY  MENTIONED,  the  SEC  has  set  up  records-reten- 
tion  policies  for  CPA  firms  performing  audits.  Auditors  are  also 
excellent  resources  for  CIOs  who  need  to  build  policies  for  handling 
information  within  their  companies.  For  example,  most  companies 
have  a  policy  where  they  keep  backup  data  for  a  certain  amount  of 
time.  Goltz  once  dealt  with  a  situation  in  which  people  who  were 
leaving  his  company  erased  data  that  was  needed  to  complete  a 
transaction.  However;  the  loss  wasn’t  discovered  until  two  weeks 
after  their  departure  and  the  backup  was  only  kept  for  a  single  week. 
“The  data  was  gone,  and  we  had  to  start  over,”  he  says.  In  hindsight, 
he  believes  that  collaborating  with  auditors  might  have  resulted  in 
policies  to  provide  some  protection  from  such  losses. 

Wischnowsky,  CTO  of  FleetBoston  Financial,  says  that  getting  the 
auditors  involved  in  information  policies  helps  IT  groups  include 
those  policies  as  part  of  the  application  development  process — rather 
than  having  to  return  to  a  system  later  to  insert  rules  about  what  to 
keep  and  what  to  delete.  He  points  out  that  the  latter  situation  almost 
always  involves  unexpected  cost  overruns.  “CIOs  need  to  take  audi¬ 
tors  seriously  when  they  say  that  they’re  only  here  to  help,”  he  adds. 

cio.com  Unsure  of  what  to  save  and  what  to  chuck?  For  the  full 

text  of  the  Sarbanes-Oxley  Act  and  SEC  Implementation  Regulations, 

see  SAVE  YOUR  ELECTRONIC  DOCUMENTS.  Find  the  link  at 

www.cio.com/government. 
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8.  Make  the  auditing  process 
part  of  the  IT  routine. 

AS  WISCHNOWSKY  NOTES,  the  ultimate  responsibility  for  ensuring 
that  IT  groups  pass  audits  lies  with  the  CIO  and  IT  managers.  “Good 
[accounting]  controls  and  practices  must  be  built  into  the  day-to-day 
activities  of  the  IT  department,”  he  says.  FleetBoston  Financial  has 
implemented  a  self-testing  process  where  managers  and  teams  are 
responsible  for  certifying  that  those  controls  are  in  place.  Needless  to 
say,  such  work  should  be  done  in  coordination  with  the  auditors. 

Such  ongoing  attention  to  audit-related  issues  need  not  be  overly 
burdensome.  Faino  of  Weston  Solutions  cites  a  policy  that  he  imple¬ 
mented  at  his  company  to  test  backup  and  recovery  procedures  of 
existing  business  applications  using  newly  purchased  servers  before 
they  are  deployed  in  production.  “This  simulates  what  would  happen 
if  we  had  to  reconstruct  the  data  center  from  scratch  and  makes  cer¬ 
tain  that  the  backup  data  is  usable  in  a  real-life  situation,”  he  says. 

And  isn’t  that  why  they  made  you  CIO  in  the  first  place? 
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9.  Respond  quickly  to 
correct  audit  findings. 

IT’S  INEVITABLE  that  even  the  best  IT  groups  will  get  “dinged”  in  an 
audit.  That’s  why  it’s  important  for  the  CIO  to  remain  highly  visible  to 
both  the  audit  committee  and  the  top  management  of  the  company.  “A 
CIO  should  always  feel  comfortable  going  directly  to  the  CEO  or  the 
CFO  concerning  anything  that  might  be  covered  in  an  audit,”  says 
consultant  Douglas  Hubbard,  president  of  Hubbard  Decision  Research. 
The  proactive  approach  that  both  CIO  practitioners  and  auditing 
experts  cite  works  to  a  CIO’s  benefit  here;  it’s  better  to  face  problems 
head  on  knowing  what  auditors  have  seen,  what  they  are  examining — 
and  maybe  even  having  led  them  to  some  examination  targets. 

Which  leads  us  back  to  the  credit  union  CIO  whose  website  was 
defaced.  According  to  Ward,  whose  company  audited  the  institution, 
the  CIO  avoided  being  fired  because  he  took  the  precaution  of  review¬ 
ing  security  risks  with  the  rest  of  top  management,  which  decided  not 
to  spend  the  extra  money  to  mitigate  the  risk.  Sharing  the  informa¬ 
tion  and  the  decision  making  also  meant  sharing  the  blame.  So  while 
the  CIO  in  question  didn’t  exactly  come  out  smelling  like  the  prover¬ 
bial  rose,  he  did  avoid  becoming  the  brunt  of  a  big  stink.  An  ounce 
of  politics  is  always  worth  a  pound  of  apologies.  BQ 


Geoffrey  James  is  a  freelance  writer  based  in  New  Hampshire.  Send  feedback  to 
Executive  Editor  Michael  Goldberg  at  mgoldberg@cio.com. 
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corner 


I  r  •  I  Business  is  no  longer  confined  by 

vZr(Jfc?l  I  I  1  fc?  (J  •  four  walls.  Today,  people  need  to  access 
and  exchange  information  -  anytime,  anywhere.  Thanks  to  Siemens 
Next  Generation  Internet  solutions,  they  can.  From  cellular  phones  to 
business  communication  systems  to  optical  networks,  we  provide  the 
tools  that  make  Mobile  Business  a  reality.  As  a  leader  in  everything 
from  information  and  communications,  to  healthcare  to  industry  and 
automation,  Siemens  is  in  a  unique  position  to  make  all  our  lives  better. 
When  you  have  450,000  minds  working  together  all  around  the  globe, 
including  75,000  right  here  in  the  U.S.,  innovative  solutions  emerge. 
And  that’s  what  it  takes  to  change  the  world. 


SIEMENS 


Global  network  of  innovation 


©  Siemens  Corporation,  2002 


www.siemensenterprise.com/mobileoffice 


CSO  Perspectives" 


Today’s  security  executives  meet  at  the  CSO  Perspectives  Conference 


BUILDING  A 


SECURITY 


June  17-19, 2003 
Hotel  del  Coronado 
Coronado,  California 


Building  a  culture  of  security  involves  much  more 
than  laying  out  the  policies,  procedures  and 
processes  that  employees,  contractors  and  business 
partners  should  follow.  It’s  about  how  you  effectively 
communicate  the  need— how  you  answer  the  ques¬ 
tion  “why”— to  the  myriad  of  security  measures  that 
must  necessarily  be  in  place  in  your  organization  to 
ensure  the  safety  of  your  people,  your  physical 
assets  and  your  information  assets.  It’s  about  mak¬ 
ing  sure  everyone  understands  the  risks  and  is 
willing  to  face  up  to  the  challenges. 

CSO  Perspectives  is  the  landmark  event  for  security 
and  IT  executives  that  helps  you  confront  these 
challenges  by  bringing  together  industry,  govern¬ 
ment  and  academic  experts  who've  dealt  with  the 
issues,  debated  the  policies,  and  navigated  the  maze 
of  security  considerations  that  impact  you  on  a  daily 
basis.  You’ll  exchange  best  practices  with  your  peers 
and  take  home  lessons  learned  from  their  experi¬ 
ences.  What’s  more,  you’ll  have  ample  time  to  net¬ 
work,  share  ideas  and  expand  your  contacts  during 
our  golf  tournament,  networking  lunches,  receptions 
and  other  activities. 

Call  800-366-0246  or  register  at 
wwwxsoperspectives.com 


TUESDAY,  JUNE  17 

3:00  pm— 5:00  pm 

Registration 

11:30  am— 5:00  pm 

Golf  Tournament 

6:30  pm— 8:30  pm 

Registration,  Welcome  Reception 
&  Special  Presentation 

WEDNESDAY,  JUNE  18 

7:00  am— 8:00  am 

Networking  Breakfast 

8:00  am— 8:20  am 

Welcome 

LEW  MCCREARY, 

Editor  in  Chief, 

CSO  Magazine 
BOBBRAGDON, 

Publisher,  CSO 
Magazine 
JONATHAN 
ZITTRAIN,  Confer¬ 
ence  Moderator  and 
Cofounder,  The 
Berkman  Center  for 
Internet  &  Society, 

Harvard  Law  School 


8:20  am— 9:20  am 

America’s  Place 
in  a  Global  Society 
WESLEY  K.  CLARK, 

Former  NATO 
Supreme  Allied 
Commander  &  CNN 
Military  Analyst,  author  of  Waging 
Modern  War 

As  American  business  is  increasingly 
sustained  by  the  global  market, 
international  political  and  military 
strategy  occupy  a  role  of  vital  signifi¬ 
cance.  Clark  has  been  on  the  front 
lines  of  the  world’s  emerging  markets, 
intimately  aware  of  the  political 
strategy  and  psychology  that  dictate 
corporate  bottom  lines.  He  applies  his 
experience  and  skills  in  strategic 
leadership,  high  technology,  training 
and  organizational  development  to 
the  challenges  facing  us  today. 

9:20  am— 10:20  am 

Creating  a  Culture  of  Security 
ROBERT  LITTLEJOHN, 

Vice  President  of  Global  Security, 
Avon 

Security  is  an  integral  piece  of  the 
business  process— it  doesn't  function 
alone.  It  is  essential  that  all  domestic 
and  international  employees  under¬ 
stand  exactly  what  to  do  in  situations 
that  involve  both  physical  and  cyber 
security.  To  build  a  culture  of  security 
the  chief  security  officer  must  take  on 
a  strategic  role  in  the  organization, 
emphasize  leadership  and  communi- 


The  Resource  for 
Security  Executives 


Community 

Integrat 

From  Cobbling  to  Weaving 


The  Promise  and  Payoff  of 
Enterprise-to-Enterprise  Application 
Integration  in  the  Real-Time  Economy 


The  flash-in-the-pan  “new  economy” 

has  faded  into  history.  But  a  robust  suc¬ 
cessor  is  well  on  its  way. 

Welcome  to  the  real-time  economy. 

Unlike  its  ethereal  predecessor,  this  tangi 
ble  environment  is  being  built  on  a  solid 
foundation  combining  secure,  reliable, 
dynamically  updated  information,  highly 
integrated  global  value-chain  networks, 
and  meticulous  attention  to  the  bottom 
line.  For  that  reason,  it’s  likely  to  keep 
growing  for  a  long,  long  time. 

Not  surprisingly,  the  companies  most 
likely  to  prosper  in  this  era  will  be  those 
who  can  respond  instantaneously — that  is, 
in  real-time — to  changes  not  just  in  their 
immediate  enterprises,  but  throughout 
their  value  chains. 

"To  become  leaner  and  more  competi¬ 
tive,  companies  have  adopted  a  laserlike 
focus  on  their  core  competencies,  and 
increasingly  outsource  both  critical  and 
noncritical  operations  from  finance  to 
logistics  to  manufacturing,"  notes  Bill 
Brandel,  research  director  for  supply  chain 
management  at  Aberdeen  Group,  Inc. 

"This  outsourced  competency  approach 


has  created  a  new  business  ecosystem 
that  extends  beyond  the  enterprise." 
[Aberdeen,  "The  B-to-B  Gestalt," 
September,  2002] 

Leading  companies  are  already  gain¬ 
ing  competitive  advantage  by  effectively 
navigating  that  new  ecosystem.  They're 
developing  private  trading  communities 
that  let  them  deeply  connect  their  busi 
ness  intelligence  applications  with  the 
applications  of  hundreds  of  their  part¬ 
ners  worldwide.  With  such  highly  inte¬ 
grated  real-time  communities,  here's 
what  companies  can  do: 

•  Identify  problems  and  eliminate  errors 
in  demand  forecasts  and  inventory 
records  throughout  the  value  chain. 

•  Share  information  and  respond  to 
queries  and  market  events. 

•  Cut  cycle  time  for  product  introduc¬ 
tions  and  customer  service. 

According  to  Albert  Pang,  e-commerce 

software  research  manager  for  IDC, 

"The  mundane  task  of  communicating 
with  one's  trading  partners  has  quickly 
emerged  as  the  latest  battleground  for 
companies  to  squeeze  out  costs  and 
generate  greater  productivity  and 


A 

viacore 

The  Integration  Utility™ 


Custom  Publishing 


SI 


CIO  ADVERTISING  SUPPLEMENT 


Viacore 

at  a  glance 


VIACORE,  INC. 

LOCATION:  Irvine,  Calif. 
FOUNDED:  1999 

CHAIRMAN  AND  CEO: 

Fadi Chehade 

FOUNDERS:  Fadi  Chehade; 
Linda  York,  Vice  President 
of  Marketing  and  Business 
Development;  and  Tony 
Curwen,  Vice  President 
of  Engineering 

MISSION:  To  create  com¬ 
petitive  business  assets  for 
its  clients  by  weaving  their 
business  communities  into 
real-time,  private,  integrated 
business  ecosystems  for  deep 
visibility  throughout  their 
value  chains. 

SOLUTION:  BusinessTone, 

The  Integration  Utility™ 
for  planning,  enabling  and 
managing  real-time  private 
trading  communities. 

CLIENTS:  Community  Builder 
clients  include  industry  leaders 
such  as  Arrow  Electronics,  Inc., 
Cisco  Systems,  Inc.,  H P  and  NEC 
Corp.  Participants  in  Viacore- 
operated  private  communities 
include  Agilent  Technologies, 
Inc.,  Honeywell-ACI,  Philips 
Semiconductors  and  Tyco 
Electronics  Corp. 

HONORS:  Named  to 
InfoWorld  100  list  of  innova¬ 
tive  companies  and  to  Forbes 
“Best  of  the  Web”  directory 
for  2001  and  2002. 

CONTACT: 

Viacore,  Inc. 

5151  California  Ave. 

Irvine,  CA  92612 
Telephone:  949/725-1200 
Fax:  949/725-1201 
www.viacore.net 
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efficiency.”  [  I  DC,  “B2B  Marketplace 
Applications  Vendors  Leverage  EDI  and 
Internet  Standards,”  December,  2002] 
And  benefits  aren’t  just  tactical. 
Researchers  say  that  companies  with 
superior  value-chain  management  can 
save  millions  of  dollars  annually 
while  generating  millions  more  in 
revenue.  With  results  like  that,  com¬ 
prehensive  real-time  private  trading 
communities — such  as  those  enabled 
by  Viacore,  Inc.’s  BusinessTone™  — 
clearly  qualify  as  strategic  as  well. 

Meeting  the  Real-Time  Challenge 

Successful  private  trading  ecosystems 
don’t  spontaneously  evolve — they 
require  planning,  development  and 
maintenance.  According  to  AMR 
Research  Director  Kimberly  Knickle, 
writing  in  The  AMR  Research  Report, 
"If  more  than  just  access  to  informa¬ 
tion  is  required,  finding  the  right 
method  of  integration  to  hundreds  or 
even  thousands  of  partners  becomes 
a  challenge  of  balancing  ease  of  use, 
cost  and  manageability  with  the 
benefits  of  automation." 

To  ensure  success  in  building  a 
private  trading  community,  companies 
must  address  several  critical  questions. 
Among  them  are  the  following: 

•  How  can  we  assess  our  trading 
partners'  readiness  and  enable 
them  for  real-time,  application-to- 


application  connectivity? 

•  How  do  we  educate  and  train  them? 

•  How  can  we  provide  continuous 
production-level  B2B  gateway  inter¬ 
operability  to  ensure  a  continuous 
stream  of  high-quality  data? 

•  How  can  we  integrate  disparate 
inter-business  systems  into  a  single 
community  in  a  timely,  cost- 
effective  way? 

•  How  do  we  ensure  that  all  data 
formats  from  our  partners  are 
compatible  with  our  own? 

•  How  do  we  ensure  continuous 
data  integrity? 

•  How  can  we  spot  trends  in  our 
partners'  processes  and  systems 
to  predict  or  prevent  integration 
breakdowns? 

•  How  do  we  manage  ongoing 
change  to  business  intelligence 
applications  and  inter-business 
processes  in  real-time? 

•  How  can  we  integrate  and  support 
an  increasingly  global  community? 

The  Answer:  Real-Time, 
Enterprise-to-Enterprise 
Application  Integration 

From  the  CIO's  perspective,  real-time, 
enterprise-to-enterprise  application 
integration  is  the  biggest  single  suc¬ 
cess  factor — and  the  biggest  single 
challenge — in  building  a  private 
trading  community. 


QUESTIONS  &  ANSWERS  ABOUT 

Following  are  some  common  questions — and  answers — about  enterprise- 
to-enterprise  application  integration  and  Viacore’s  BusinessTone  solution. 

Ql  JUST  BOUGHT  SOFTWARE  THAT  COST  MILLIONS  OF  DOLLARS. 

WHY  SHOULD  I  INVEST  IN  SOMETHING  ELSE? 

A  “Creating  truly  integrated  communities  is  more  than  purchasing  and 

installing  software,”  says  Fadi  Chehade,  chairman  and  CEO  of  Viacore,  Inc. 

“It  requires  education,  training  and  ongoing  lifecycle  management.”  Unlike  soft¬ 
ware,  BusinessTone  easily  scales  to  accommodate  giant  global  ecosystems.  Unlike 
software,  it  provides  constant  support  and  maintenance.  In  addition,  BusinessTone’s 
price  is  based  on  a  low-risk,  usage-based  utility  model,  rather  than  a  large  up-front 
purchase  combined  with  costly  software  license  fees.  Finally,  unlike  software, 

BusinessTone  includes  both  methodologies  and  tools  for  rapid  scaling  and  quickly 
bringing  partners  on  board. 
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In  fact,  as  noted  in  the  15th  annual 
CIO  100  issue  of  CIO  magazine,  creat¬ 
ing  a  big-picture  view  both  inside  and 
outside  the  company  has  become  the 
only  possible  survival  strategy:  “Today, 
integration  is  not  a  choice — it's  an 
obligation.”  (See  "The  Integration 
Imperative,”  CIO,  August  15,  2002, 
available  at  www.cio.com.) 

Why?  In  a  nutshell,  it's 
that  same  distributed,  out¬ 
sourced  approach  to 
doing  business.  "The  more 
companies  do  that,  the 
more  they  need  to  inte¬ 
grate,”  says  Fadi  Chehade, 
chairman  and  CEO  of 
Viacore,  Inc.  ( www.via - 
core.net),  which  offers  the 
BusinessTone  suite  of  services  for 
planning,  enabling  and  managing  pri¬ 
vate  trading  communities.  "They  need 
to  maintain  visibility  over  the  multi¬ 
ple  layers  in  their  value  chains." 

Creating  such  inter-business  connec¬ 
tivity  is  more  difficult  than  ever.  Today, 
CIOs  oversee  a  hodgepodge  of  applica¬ 
tions  from  multiple  vendors.  Often, 
those  systems  don't  even  share  infor¬ 
mation  effectively  inside  the  organiza¬ 
tion,  let  alone  provide  constant  connec¬ 
tivity  to  partners,  suppliers  and  others 
in  the  extended  enterprise.  And  even 
when  they  do,  it's  not  in  anything 
remotely  resembling  real-time. 


"Companies  are  increasingly  find¬ 
ing  that  information  delivered  in 
batches,  or  with  a  time  lag,  is  unac¬ 
ceptable,"  Chehade  says.  "For  true 
competitive  advantage  in  a  global 
economy,  all  these  applications  must 
be  able  to  talk  to  each  other  continu¬ 
ously— in  real-time." 

Chehade  believes  that  the  only  way 
to  get  that  critical  right- 
now  visibility  into  the 
whole  value  chain  is  true 
production-level  interoper¬ 
ability  and  enterprise-to- 
enterprise  application 
integration.  When  applica¬ 
tions  communicate  direct¬ 
ly,  seamlessly  and  continu¬ 
ously,  they  can  do  the  following: 

•  Provide  accurate,  constantly  updated 
data  snapshots  from  all  partners. 

•  Create  truly  synchronized 
communities. 

•  Eliminate  errors  created  by 
manual  entry. 

The  BusinessTone  Advantage 

That's  where  Viacore  comes  in. 

Chehade  co-founded  the  company 
in  September  1999  after  working  for 
more  than  15  years  as  a  computer- 
industry  executive.  During  that  time 
Chehade  founded  two  other  compa¬ 
nies,  including  RosettaNet,  the  leading 
nonprofit  consortium  working  to 


INTER-BUSINESS  INTEGRATION 


Q.  WHY  CAN’T  I  JUST  BUILD  A  WEB-BASED  COMMUNITY? 

A.  Web  sites  and  portals  are  only  as  accurate  as  their  most  recent  manual  updates — 
the  applications  aren’t  talking  directly  to  each  other.  Chehade  notes:  “If  you’re  in  a 
real-time  mode,  you  can’t  wait  for  a  partner  to  transfer  data  into  your  portal.” 
BusinessTone  clients  benefit  from  deep,  continuous  and  secure  integration. 


Views 

on  Viacore 

Here’s  what  some  leading 
industry  analysts  are  saying 
about  the  Viacore  solution: 


U  COMMUNITY  BUILDERS 
need  to  establish  an  in-depth 
assessment  and  analysis  of  the 
state  of  community  participant 
readiness  before  attempting  to 
integrate  business  processes. 
Service  providers  such  as  Viacore 
can  ease  this  burden  by  providing 
a  central  point  of  contact  for 
community  planning,  including 
the  interpretation  of  guidelines 
and  implementation 

requirements.  99 


—  BILL  BRANDEL, 
research  director  for 
supply  chain  management 
at  Aberdeen  Group  Inc. 


u  VIACORE  SELLS  INTO  A 
marketplace  where  costly  and 
time-consuming  integration  efforts 
have  failed.  [By]  being  compatible 
with  industry  standards  such  as 
RosettaNet,  EDI,  and  Web  services 
and  working  closely  with  Microsoft 
and  Tibco,  Viacore  has  carved  out 
an  area  where  a  select  group  of 
multinationals  would  want  to  have 
that  type  of  machine-to-machine 
connection  with  their  trading 
partners. 


Q.  MY  PARTNERS  HAVE  ELECTRONIC  DATA  INTERCHANGE  (EDI).  ISN’T  THAT  ENOUGH? 

A.  Not  if  you  want  constant  real-time,  enterprise-to-enterprise  application  integration. 

Says  Chehade:  “Business  processes  are  extremely  fluid.  They  change  constantly.  That 
requires  ongoing  service  and  technology  integration.”  EDI  simply  delivers  static  documents, 
much  as  a  postal  service  just  drops  off  the  mail.  BusinessTone,  on  the  other  hand,  offers 
constant,  responsive  connectivity  to  partners  on  multiple  levels  throughout  the  value  chain. 
(However,  BusinessTone  does  support  EDI  and  other  protocols  and  standards,  including  Web 
services,  cXML,  xCBL,  SOAP,  RosettaNet  Partner  Interface  Processes®  (PIPs®),  and  others.) 


—  ALBERT  PANG, 
e-commerce  software 
research  manager,  IDC 

IDC ,“B2B  Marketplace  Applications  Vendors 
Leverage  EDI  and  Internet  Standards," 

December,  2002. 
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Viacores  CEO  A  Natural  Community  Builder 


FOR  VIACORE’S  CHAIRMAN  AND  CEO,  creating  communities 
isn’t  just  a  job.  It’s  a  lifelong  mission. 

“I  am  passionate  about  building  communities,”  says  Fadi 
Chehade,  who  co-founded  Viacore  in  September  1999.  “I’ve  always 
been  driven  by  bringing  people  and  ideas  together.” 

Chehade  has  focused  on  that  for  much  of  his  18-year  career  as  a 
high-tech  executive  and  entrepreneur.  Before  starting  Viacore,  he 
founded  RosettaNet,  the  high-tech  sector’s  leading  consortium  for 
developing  inter-business  process  standards.  Previously,  as  a  vice 
president  at  Ingram  Micro,  Inc.,  he  headed  development  of  a  pio¬ 
neering  Web-based  extranet  connecting  hundreds  of  suppliers  and 
thousands  of  resellers.  And  before  that,  he  launched 
nettConnection,  an  innovative  Lotus  Notes-based  extranet  applica¬ 
tion  linking  U.S. -based  companies  to  their  distribution  partners 
in  36  countries. 

Chehade’s  extensive  expertise  in  building  global  business  com¬ 
munities  once  prompted  BtoB  Magazine  to  note:  “Fadi  Chehade 


was  b-to-b  before  b-to-b  was  cool.” 

At  Viacore,  he’s  drawn  on  all 
that  experience  in  creating 
BusinessTone,  a  unique  integra¬ 
tion  utility  that  lets  clients  such  as 
Arrow  Electronics,  Inc.,  Cisco 
Systems,  Inc.,  HP  and  NEC  Corp. 
create  and  run  their  own  secure 
real-time  private  trading  commu¬ 
nities.  Today,  BusinessTone  elimi¬ 
nates  the  costs,  risks  and  limita¬ 
tions  associated  with  trying  to  do 
the  job  in-house,  freeing  its  cus¬ 
tomers  to  focus  on  process  reengineering,  relationship  manage¬ 
ment  and  profits. 

To  ask  questions  and  learn  more  about  how  Viacore  can  help  your 

business,  please  contact  Chehade  directly  at  chehade@viacore.net. 


Fadi  Chehade 


develop  inter-business  process  stan¬ 
dards  for  the  high-tech  sector. 

Today,  Irvine,  Calif. -based  Viacore 
has  a  clear  mission:  to  create  com¬ 
petitive  business  assets  for  its  clients 
by  weaving  their  business  communi¬ 
ties  into  real-time,  private,  inte¬ 
grated  business  ecosystems  for 
deep  visibility  throughout  their 
value  chains. 

The  key  to  creating  those 
sophisticated  inter-business 
communities?  BusinessTone. 

In  defining  Viacores 
BusinessTone,  it’s  easiest  to  start  by 
stating  what  it  isn't.  It’s  not  a  big  cen¬ 
tral  public  business  network.  It's  not 
software  or  application  management. 
It’s  not  a  set  of  standards  or  protocols. 
It’s  definitely  not  static  EDI. 

Rather,  BusinessTone  is  an  integra¬ 
tion  utility,  or,  as  Chehade  describes  it, 
"the  first  solution  offering  scalable 
enterprise-to-enterprise  application 
integration.”  It's  a  collection  of  tech¬ 
nologies  and  methodologies  integrated 
to  deliver  a  turnkey  solution  allowing 
companies  to  plan,  enable  and  manage 
private,  inter-business  communities 
with  trading  partners  worldwide. 


Chehade  calls  all  three  steps  critical  for 
real-time,  enterprise-to-enterprise 
application  integration.  To  elaborate: 

Planning  the  community.  First, 
BusinessTone  provides  services  for 
defining  and  shaping  a  private  ecosys- 


BusinessTone  is  an  integration 
utility,  the  first  solution  offering 
scalable  enterprise-to-enterprise 
application  integration. 


tern.  "The  first  part  is  building  guide¬ 
lines  and  processes  that  work,” 

Chehade  says.  "You  have  to  make  sure 
your  partners  understand  the  benefits 
of  integration.  You  need  to  educate 
them  so  they'll  participate." 

Enabling  the  community.  Next, 

BusinessTone  configures  the  commu¬ 
nity's  infrastructure  and — equally 
important — certifies  that  participants 
are  ready  for  continuous  real-time  con¬ 
nectivity  according  to  the  community 
builder's  guidelines  and  specifications. 

Managing  the  community.  Finally, 
BusinessTone  manages  the  commu¬ 
nity,  provides  24x7  support  and  is  now. 


maintenance,  monitors  performance, 
assures  data  integrity,  prevents  errors 
and  responds  to  problems.  The  utility 
also  meets  the  service-level  agreements 
set  by  community  builders,  managing 
the  constantly  changing  processes, 

partners  and  data.  At  the  same 
time,  while  streamlining  the 
workload  placed  on  its  cus¬ 
tomers'  internal  IT  resources, 
BusinessTone  leaves  control 
over  the  private  ecosystem 
entirely  up  to  the  customer. 

By  leveraging  the  capabilities 
of  BusinessTone,  Viacore’s  clients  are 
able  to  build  highly  reliable,  cost- 
effective  private  trading  communities 
that  enable  value  chain  partners  to 
rapidly  respond  to  changes  in  the 
business  environment.  As  Chehade 
explains:  "The  real-time  economy  is 
being  built  now,  and  it’s  changing 
the  pace  at  which  we  do  business. 
Business  speed  and  agility  impact  not 
only  a  company's  bottom  line,  but 
also  the  operational  excellence  of  the 
business."  As  Viacore  has  proven 
through  its  successful  BusinessTone 
communities,  the  time  for  "real-time" 
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ion,  and  develop  the  policies  and 
jns  that  protect  the  company’s 
ople  and  other  assets. 


:20  am— 11:00  am 

ffee  Break  and 
onsor  Exhibits 


:00  am— 12:15  pm 

onsor  Briefings 

:15  pm— 1:45  pm 

jtworking  Lunch 

00  pm— 2:30  pm 

leciai  Session 

0  pm— 3:30  pm 

vernance  and 
licy  Management 
Dderator: 

£REK  SLATER, 

: ecutive  Editor, 
sO  Magazine 
irticipants:  NEIL 
tCKSON,  CISA, 
jsiness  Manager 
ternal  Audit, 
obal  Information  Technology, 
■TRADE  Group,  Inc. 

LL  SPERNOW, 

SO,  Georgia 
udent  Finance 
pmmission 
curity  governance 
ues  are  a  particu- 
ly  thorny  topic,  as 
ore  executives  and  boards  of 
ectors  understand  their  responsi- 
ity  and  accountability  in  informa- 
n  security  governance.  They  will 
challenged  to  prove  they  are 
anaging  aspects  of  security  to  a 
/el  that  will  satisfy  business 
rtners,  customers  and  stakehold- 
-and  that  will  minimize  poten- 
litigation.  A  blue-ribbon  panel 
scusses  governance  issues,  who 
akes  the  policies,  what  they  look 
e,  how  they  get  made  and  how  you 
iforce  them. 

30  pm— 4:30  pm 
veloping  an  Effective 
amework  for  Risk  Assessment 
HOMAS  P. 

RMOUR, 
ogram  Manager, 
fcfense  Advanced 
& search  Projects 
*ency  (DARPA) 
order  to  effectively 
sess  your  risks,  you  need  to 
velop  a  framework  and  a  highly 
stematic  approach.  One  key  is 
st  analyzing  Threat,  Vulnerability 
id  Consequences  independently, 
d  then  assess  them  altogether.  If 
e  Threat  and  the  Vulnerability 
en’t  large— but  the  Consequences 


are  massive,  you’ve  got  a  very  big 
problem.  What  are  the  trade-offs 
between  instituting  appropriate 
levels  of  security  and  stifling  the 
business?  The  approach,  tools  and 
analytics  are  applicable  to  both 
physical  and  cyber  security. 

4:30  pm— 5:30  pm 

The  Peer-to-Peer  Networking 
Reception 

THURSDAY,  JUNE  19 

7:00  am— 8:00  am 

Breakfast  &  informal 
Discussion  Roundtables 

8:00  am— 9:15  am 

What  Every  CSO  Should  Know 
About  Intellectual  Property 
Moderator:  JONATHAN 
ZITTRAIN 

Panelists:  MELISE  R. 
BLAKESLEE,  Partner, 
McDermott,  Will  &  Emery 

JOHN  P. 

PONTRELLI, 

Global  Security 
Director,  W.L.  Gore 
&  Associates 
LYNN  MATTICE, 

Director  of  Global 
Security,  Boston 
Scientific 
More  organizations 
are  realizing  the 
potential  threats  of 
not  safeguarding 
their  own  intellectual 
property,  and  of  the 
possible  liability  of  misusing  others’ 
property,  even  unintentionally  or 
unknowingly.  Many  are  seriously 
weighing  the  risks  of  not  imple¬ 
menting  digital  rights  management 
(DRM)  technologies.  Our  panel 
explores  recent  trends  in  intellec¬ 
tual  property  issues  and  litigation, 
and  discusses  the  impact  on 
businesses  of  all  types. 

9:15  am— 10:30  am 

Evaluating  New  Technologies 
MODERATOR: 

CHRIS 
LINDQUIST, 

Technology  Editor, 

CSO  Magazine 
BOB  DEGAN, 

Senior  Vice  Presi¬ 
dent,  Corporate 
Security,  First  Data 
Corp. 


COLONEL 
THADDEUS A. 

DMUCHOWSKI, 

Director  of  the 
Information  Assur¬ 
ance  Directorate, 

Department  of  the 
Army 

DAVID  MACLEOD,  Ph.D., 
CISSP,  CPHIMS,  Director  of 
Security,  The  Regence  Group 
JEFFWACKER, 

EDS  Fellow,  vice 
President  &  CTO, 

EDS 

It’s  been  frequently 
said  that  security  is  a 
business  problem, 
not  a  technology 
problem.  However,  technology  does 
play  a  crucial  role  in  your  ability  to 
provide  both  physical  and  cyber 
security.  Our  expert  panelists  talk 
about  what  technologies  they  see  in 
the  near  term  that  will  have  the 
most  impact  on  the  CSO  and  CISO. 
What  will  work,  what  won’t— what 
you  should  be  afraid  of,  and  why. 

10:30  am— 11:00  am 

Coffee  Break  &  Sponsor  Exhibits 

11:15  am— 12:25  pm 

Sponsor  Briefings 

12:25  pm— 2:00  pm 

Networking  Lunch 

2:15  pm— 3:30  pm 
DrillDown  Breakout  Sessions 

These  sessions  are  designed  to  give 
conference  attendees  the  opportu¬ 
nity  to  work  and  network  in  smaller 
groups,  and  discuss  specific  topics 
and  issues  in  greater  detail. 

3:45  pm— 5:00  pm 

Ethics  and  Privacy  in  Action: 

A  Scenario  Panel 
Moderator: 

JONATHAN  ZITTRAIN 

Panelists: 

DEBORAH 
WEINSTEIN,  Labor 
&  Employment 
Law  Attorney, 

Eckert  Seamans 
Cherin  &  Mellott, 

LL  C. 

CHRISTOPHER 
HOOFNAGLE, 

Deputy  Counsel, 

Electronic  Privacy 
Information  Center 
TERRY LENZNER, 

Chairman,  Inves¬ 
tigative  Group  International 


DOUGLAS 
MILLER,  Executive 
Director  of  Pri¬ 
vacy,  America 
Online 

An  action  or  policy 
may  very  well  be 
legal— but  if  it  isn’t  ethical,  you  may 
be  setting  yourself  and  your  organi¬ 
zation  up  for  some  nasty  surprises 
(not  to  mention  nastier  lawsuits). 
What’s  legal,  what’s  ethical— what’s 
the  difference  and  who  decides? 
What  role  does  the  corporate 
culture  play  in  ensuring  that  all 
employees  consistently  adhere  to 
policies?  Our  panelists— along  with 
audience  participants— explore 
various  scenarios. 


5:00  pm— 5:15  pm 

Closing  Summary 
JONATHAN  ZITTRAIN 


5:15  pm— 6:00  pm 

Networking  Reception 

7:15  pm— 9:30  pm 
Black  Tie  Dinner  & 

Entertainment 
JIMMY  TINGLE, 

Social/political 
Commentator  & 

Humorist 
Tingle  is  regarded  as 
one  of  the  top  social 
and  political  com¬ 
mentators  and  humorists  in  the 
country,  uncovering  the  absurdities 
of  modern  life  with  an  irreverent  and 
incisive  wit.  After  two  days  of  hard 
work  and  serious  presentations, 
who  among  us  can’t  use  a  good 
laugh? 


Presentation  of  the 

CSO  Magazine  Compass  Awards 

BOB  BRAGDON  & 

LEW  MCCREARY 

CSO  Magazine  is  pleased  tonight 
to  honor  several  individuals  whose 
leadership,  innovative  thinking  and 
dedicated  effort  have  advanced 
security  awareness,  policies, 
technologies  and  practices  for  the 
betterment  of  the  field. 


9:30  pm— 11:00  pm 

SPECIAL  DESSERT 
RECEPTION 


CSO  Perspectives  is  proudly 
underwritten  by 


Microsoft 


ILLUSTRATION  BY  MARC  ROSENTHAL 


Security 


The  entertainment  industry  is  battling  the  illegal  distribution  of 
copyrighted  music  and  movie  files— and  will  stop  at  nothing  to 
enlist  your  help  by  sarah  d.  scalet 


TO  THIS  DAY,  THE  CIO  OF  A  WELL-RESPECTED 

research  organization  in  California  has  no  idea 
how  someone  hacked  into  his  company’s  com¬ 
puter  systems  and  used  them  to  store  and  trans¬ 
mit  pirated  movies  and  music.  He’s  not  even 
sure  how  the  Motion  Picture  Association  of 
America  (MPAA)  learned  about  the  crime  before 
he  did.  What  he  does  know  is  this:  The  film 
industry  association  tipped  off  the  FBI,  which  came  knocking,  and  he 
hasn’t  seen  the  compromised  hard  drives  since— nor  does  he  want  to.  The 
CIO  wants  to  be  finished  with  the  whole  business. 

“The  MPAA  must  have  ways  of  detecting  illegal  use,"  says  the  CIO,  who 
spoke  on  the  condition  of  anonymity  to  protect  the  FBI’s  investigation, 
which  is  still  active.  (Neither  the  MPAA  northe  FBI  would  comment  on  the 
case.)  “They  contacted  us  and  said  our  IP  address  was  illegally  serving  up 
information,  and  we  said,  ‘No,  that’s  not  possible.’” 

Indeed  it  was. 


Reader  ROI 

►  Why  the  entertainment  industry 
is  trying  to  coerce  organizations 
into  preventing  copyright 
infringement 

►  How  seriously  to  take  its  threats 

►  Ways  to  keep  from  becoming  the 
next  poster  child  for  copyright 
infringement 
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Fortunately,  for  him  and  his  organization  though,  he  is  done 
with  the  whole  business.  The  hard  drives  cost  only  a  few  hun¬ 
dred  dollars  to  replace,  and  downtime  was  minimal.  In  addi¬ 
tion,  the  MPAA  didn’t  pursue  legal  action  because,  he  says, 
his  organization  was  an  innocent  bystander  that  cooperated 
fully  with  the  investigation. 


libertarians  who  believe  file-swappers  aren’t  necessarily  down¬ 
loading  files  they  would  otherwise  purchase,  and  others  who 
say  that  a  free  sample  might  entice  listeners  into  buying  a  whole 
album.  But  the  threat  to  the  industry  is  real,  if  overstated. 

Part  of  the  problem  is  organized  hacking  groups,  plain  and 
simple.  So-called  Warez  (pronounced  “wares”)  groups  host  web- 


the  studio  is  not  going  to  go  after  the  person;  they’re  going  to  go  after  the  corporation.” 


-EVAN  BAUER,  PRINCIPAL  RESEARCH  FELLOW,  ROBERT  FRANCES  GROUP 


But  if  the  entertainment  industry  has  its  way,  your  company 
might  not  be  as  fortunate.  The  industry  is  taking  steps  to  hold 
your  company  liable  if  your  systems  are  used  to  share  pirated 
materials — which  could  happen  either  when  a  hacker  invades 
and  loots  your  free  disk  space  or  when  your  users  are  busy 
swapping  copies  of  the  latest  song  from  the  Dixie  Chicks.  The 
warning  shots  have  already  been  fired:  In  April  2002,  Inte¬ 
grated  Information  Systems,  a  high-tech  company,  paid  the 
Recording  Industry  Association  of  America  (RIAA)  $1  million 
in  an  out-of-court  settlement,  after  the  company  allegedly  per¬ 
mitted  its  employees  to  share  copyrighted  MP3  files  on  its  cor¬ 
porate  network.  Although  this  may  come  off  as  a  scare  tactic, 
there  are  good  reasons  to  protect  your  company  from  becom¬ 
ing  the  entertainment  industry’s  next  poster  child  for  copyright 
infringement.  We’ll  tell  you  how  seriously  to  take  the  warnings 
and  how  to  protect  your  company — which  is  easier  to  do  than 
you  might  think. 

THE  ENTERTAINMENT  POLICE 

hen  music  industry  associa¬ 
tions  won  the  court  battle  to 
shut  down  Napster — that 
giddy  but  short-lived  music¬ 
swapping  service  that  made 
peer-to-peer  (P2P)  a  house¬ 
hold  phrase — they  were  just 
getting  started.  The  enter¬ 
tainment  industry  is  at  war  with  Internet  pirates,  which  it 
believes  are  threatening  its  very  livelihood.  The  MPAA,  which 
estimates  that  the  U.S.  film  industry  loses  $3  billion  a  year  from 
physical  piracy  alone,  is  growing  increasingly  frustrated  by  how 
often  video  files  are  available  on  the  Internet  before  the  movies 
are  released  in  theaters  or  on  DVD  and  video.  The  RIAA, 
meanwhile,  blames  piracy  for  the  7  percent  decrease  in  the 
number  of  compact  disc  shipments  during  the  first  half  of  2002. 
That  kind  of  research  causes  much  eye-rolling  among  Internet 


sites  that  proffer  pirated  software,  music,  movies  and  pornog¬ 
raphy.  Hackers  get  bragging  rights  for  being  the  first  to  post 
new  files  or  to  crack  copyright  protection  schemes.  It’s  likely 
that  our  anonymous  CIO’s  computer  systems  were  being  used  by 
one  of  these  groups. 

To  hear  the  entertainment  industry  tell  it,  though,  covert 
Warez  activity  on  the  networks  of  unassuming  companies — the 
risk  of  which  can  be  minimized  by  heeding  long-established 
security  best  practices — is  only  background  music.  Security  101 
precautions  such  as  properly  configured  firewalls,  the  dogged 
installation  of  patches  to  fix  newly  discovered  software  vulner¬ 
abilities  and  even  carefully  monitored  intrusion  detection  sys¬ 
tems  will  go  only  so  far  in  preventing  illegal  activities.  That’s 
because,  while  Napster  is  no  more,  dozens  of  services,  such  as 
eDonkey,  Gnutella,  Grokster  and  Kazaa,  have  sprouted  in  its 
place — and  have  earned  the  reputation  of  being  venues  for 
exchanging  pirated  files. 

These  P2P  systems,  which  allow  people  who  download  their 
software  to  exchange  .exes,  MP3s,  .mpegs  and  other  files 
directly  with  one  another,  have  legitimate  reasons  for  being. 
Some  artists  like  to  give  away  songs  or  videos  to  win  fans,  and 
the  business  possibilities  of  file-swapping  are  promising  enough 
that  Lotus  Notes  creator  Ray  Ozzie  started  a  company,  Groove 
Networks,  that  is  working  on  P2P  for  the  enterprise,  with 
funding  from  Microsoft.  Kazaa,  the  most  popular  P2P  service 
in  the  United  States,  boasts  that  its  software  has  been  down¬ 
loaded  more  than  200  million  times. 

Citing  estimates  from  third-party  analysts  who  put  the  num¬ 
ber  of  illegal  file  downloads  at  2.6  billion  a  month,  RIAA  Pres¬ 
ident  Cary  Sherman  says,  “You’re  just  not  going  to  get  those 
kinds  of  numbers  from  people  going  to  Warez  sites.” 

In  response,  the  entertainment  industry  has  launched  a  cam¬ 
paign  the  likes  of  which  CIOs  haven’t  seen  since  the  Business  Soft¬ 
ware  Alliance  and  Software  Publishers  Association  started 
cracking  down  on  pirated  software  in  the  mid-1990s.  Collectively, 
the  two  groups  earned  a  reputation  as  “the  software  police,”  says 
Ted  Claypoole,  an  attorney  for  Womble,  Carlyle,  Sandridge  & 
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You  never  imagined  a 
sit-down  with  Datalink  could 
set  off  the  domino  effect. 


As  a  part  of  your  data  protection  solution, 
Datalink  integrated  StorageTek  tape  libraries 
and  disk  arrays  -  eliminating  the  risk  of  your 
company  ever  losing  valuable  data. 


StorageTek 


Which  allowed  the  board  to 
receive  a  report  identifying 
a  new  growth  sector. 


Leading  to  operations 
being  set  up  on  the 
other  side  of  The  Pond 


And  you  learning  how  to  say 
Tm  the  head  of  IT”  in  French. 

Seems  everything’s  connected  after  all 


Information  Means  The  World 


866-213-1920  /  www.datalink.com/cio 
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Rice.  “I’ve  been  to  seminars  where  representatives  have  spoken 
and  handed  out  whistles  with  their  phone  numbers  on  them  for 
people  to  call  and  be  a  whistle-blower.  That’s  what  they  rely  on.” 

But  the  entertainment  police  don’t  need  whistle-blowers.  All 
they  have  to  do  is  surf  the  Internet. 


WARNING  SHOTS 

om  Temple  spends  his  workdays 
trolling  the  Internet  for  free  copies 
of  the  latest  blockbusters.  After  all, 
that  is  what  the  MPAA  pays  him  to 
do.  “If  somebody  is  using  a  P2P 
server  or  is  set  up  as  a  P2P  server, 
then  we  will  find  it  using  our  search 
engines,”  says  Temple,  director  of 
worldwide  Internet  enforcement  for 
the  MPAA.  When  he  and  his  team 
find  copyrighted  movies  online,  they  mail  an  infringement  noti¬ 
fication  to  the  owners  of  the  IP  address,  warning  them  of  poten¬ 
tial  liability  and  ask  that  the  material  be  removed.  When  they 
unearth  an  operation  larger  than  a  single  P2P  user,  they  get  law 
eaforcement  involved. 

Colleges — with  their  high-speed  connections  and  privacy 
protections — are  the  bane  of  Temple’s  existence.  “It’s  hard  for 


Techniques  to  Limit  Liability 

Here  are  several  ways  to  limit  illegal  use  of  your 
company's  networks 


-©  Use  content-filtering  software  to  block  P2P  websites. 


O  Configure  routers  and  firewalls  to  close  the  ports  used  by  file¬ 
sharing  software.  P2P  services  may  appear,  disappear  and 
change  IP  addresses,  so  this  requires  vigilance. 

-©  Monitor  network  traffic  for  certain  types  of  files  such  as  .mpegs. 
This  could  also  raise  a  flag  if  an  outsider  were  using  your  network 
to  traffic  illegal  files. 


-©  Set  up  access  privileges  so  that  employees  can’t  download 
software.  Install  software  or  change  permissions  as  needed. 

-O  Limit  the  amount  of  disk  space  employees  have.  Dole  out  extra 
space  only  when  you  know  it’s  for  a  legitimate  purpose. 

-O  Consider  installing  auditing  software,  such  as  Lighthouse  from 
Cohesiant,  that  tracks  what  kinds  of  software  are  installed  on 
employees’  computers.  -S.S. 


me  off  the  top  of  my  head  to  think  of  a  university  that  hasn’t 
gotten  a  [cease-and-desist]  letter  from  us,”  he  says.  It’s  no  won¬ 
der  then  that  the  MPAA,  along  with  the  RIAA,  National  Music 
Publishers’  Association  and  Songwriters  Guild  of  America,  in 
October  2002  sent  a  letter  to  more  than  2,300  college  and 
university  presidents  urging  them  to  prevent  copyright  infringe¬ 
ment  by  students.  The  letter  asks  schools  to  create  rules  against 
sharing  copyrighted  materials,  and  to  monitor  compliance  and 
impose  effective  remedies  against  violators. 

Later  that  month,  the  associations  broadened  the  audience, 
sending  a  similar  letter  to  the  CEO  or  president  of  every  com¬ 
pany  in  the  Fortune  1000.  “It  appears  that  many  corporate 
network  users  are  taking  advantage  of  fast  Internet  connec¬ 
tions  at  work  by  publicly  uploading  and  downloading  infring¬ 
ing  files  on  P2P  services  and  also  distributing  and  storing  such 
files  on  corporate  intranets,”  the  letter  says.  It  goes  on  to  warn 
executives  that  this  use  of  networks  “subjects  your  employees 
and  your  company  to  significant  legal  liability  under  the  federal 
copyright  law.” 

More  will  follow,  warns  the  RIAA’s  Sherman.  “We’ve 
started  this  as  an  education  campaign,  and  now  we’re  begin¬ 
ning  to  do  searches.  At  some  point  after  that  we  will  be  more 
aggressive  in  terms  of  enforcement,”  he  says. 

Some  would  say  they’ve  been  plenty  aggressive  already.  In 
January,  a  federal  judge  in  Washington  ordered  Verizon  Com¬ 
munications  to  reveal  to  the  RIAA  the  identity  of  an  Internet 
subscriber  suspected  of  illegally  exchanging  copyrighted  files — 
a  huge  blow  for  critics  of  the  Digital  Millennium  Copyright  Act 
(DMCA),  a  controversial  law  passed  in  1998  that  gave  copyright 
holders  greater  power  in  pursuing  copyright  infringement  cases. 
Meanwhile,  the  RIAA  has  been  lobbying  Congress  to  pass  leg¬ 
islation  that  would  allow  copyright  holders  to  disable  file-sharing 
operations  using  technical  means  such  as  file-blocking  or  even, 
critics  contend,  hacking. 

None  of  this  has  made  the  association  exactly  popular.  But  it’s 
not  only  fringe  protesters  and  Web  vandals  who  have  been  put 
off  by  the  RIAA’s  approach.  Some  members  of  the  university 
community  bristle  at  the  way  the  RIAA  is  interpreting  a  clause 
in  the  DMCA  that  protects  Internet  service  providers  from  lia¬ 
bility  if  their  service  is  used  to  share  files  illegally.  This  clause  is 
thought  by  many  to  exist  because  of  the  legal  difference  between 
selling  Internet  access  to  individuals  for  their  own  personal  use 
and  giving  them  a  computer  and  Internet  connection  to  use  for 
work.  Universities  believe  that  the  safe  harbor  includes  them 
because  they  function  as  ISPs,  where  students  plug  their  own 
computers  into  university  networks  for  Internet  access. 

“I  think  that  their  tactics  have  been  rather  heavy-handed,” 
says  Paul  Morris,  CIO  of  Drake  University,  who  was  surprised 
to  learn  that  Drake’s  security  policy  was  cited  as  a  model  in  the 
letter  the  entertainment  industry  sent  to  universities.  “I  don’t  see 
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Ask  us  to  replace  15  machines,  and  we 
might  ask  you  an  important  question  like, 
“Do  you  know  you  only  need  10?” 

At  IKON,  assessing  your  company’s  document  needs  is  our  top  priority.  We  examine  your  document-related 
expenses  to  help  you  make  informed  decisions  to  increase  efficiency.  Whether  you  choose  to  finance  new  technology, 
replace  current  equipment,  or  add  application  support,  our  team  is  focused  on  helping  you  control  printing  costs 
and  streamline  document  workflow.  IKON  is  North  America’s  largest  independent  distributor  of  office  equipment 
from  manufacturers  like  Canon,  Ricoh,  and  Hewlett-Packard,  so  the  one  thing  you’ll  never  have  to  replace  is  quality. 
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Security 


that  the  RIAA  has  any  legal  basis  to  take  action  against  univer¬ 
sities.  They  do  have  a  strong  ethical  case,  and  I  think  if  they 
approached  this  as  an  ethical  issue  rather  than  a  legal  one,  uni¬ 
versities  might  be  more  receptive.” 

The  industry’s  vigilance,  however,  should  come  as  no  sur¬ 
prise.  The  stakes  are  high.  “They’re  so  afraid  of  losing  control 
of  the  revenue  stream  from  copyrighted  files  that  for  them  the 
sky  is  falling,”  says  Evan  Bauer,  a  principal  research  fellow  at 
the  Robert  Frances  Group  and  former  CTO  for  global  infra¬ 
structure  at  Credit  Suisse  First  Boston.  “It’s  good  for  them  if 
they  can  create  blind  panic,  especially  in  the  legal  department.” 

HOW  TO  PROTECT  YOUR  COMPANY 

o  how  seriously  should  you  take 
what  the  entertainment  industry  is 
doing?  Not  as  seriously  as  they 
might  like  you  to,  but  you  need  to 
do  something.  Organizations  that 
allow  illegal  files  to  be  stored  on 
their  hard  drives  could  indeed  open 
themselves  up  to  millions  of  dollars 
of  potential  liability.  So  far  the 
entertainment  industry — perhaps 
assuming  that  companies  have  their  own  incentives  to  try  to 
keep  out  hackers — has  been  sympathetic  to  organizations  that 
inadvertently  let  hackers  into  their  systems.  But  the  industry  is 
harder  on  organizations  that  look  the  other  way  when  it  comes 
to  illegal  employee  activity.  For  them,  liability  is  a  way  to  pro- 


against  them,  they  will  probably  cease  doing  this.” 

Drake’s  policy,  for  example,  states  that  it’s  not  acceptable  to 
“violate  the  federal  copyright  law  by  downloading  copyrighted 
audio,  video,  graphics  or  text  materials  from  the  Internet  with¬ 
out  proof  of  proper  licensing  arrangements.”  The  policy  warns 
that  rule-breakers  may  lose  computing  privileges,  be  suspended 
or  expelled,  and  will  be  held  liable  or  prosecuted  under  state  or 
federal  statutes. 

Following  up  on  that  policy  is  key,  attorneys  say.  “The  worst 
thing  to  do  is  to  have  a  policy  that  sets  a  standard  that  you 
never  enforce,”  says  attorney  Bruce  Keller,  a  partner  at  Debevoise 
&  Plimpton  and  a  leading  expert  on  copyright  law.  “You’ve 
defined  the  standard  to  which  you’re  going  to  hold  yourself.” 

A  few  technical  steps  can  help  enforce  the  policy  (see  “Tech¬ 
niques  to  Fimit  Liability,”  Page  90).  In  addition,  there  are  other 
incentives  for  doing  so.  By  their  very  nature,  P2P  services  have 
security  risks.  Employees  may  be  inadvertently  “sharing”  more 
than  they  realize  and  making  sensitive  documents  available 
publicly,  or  they  may  be  downloading  files  that  contain  viruses 
and  worms.  Stopping  it  can  be  to  your  advantage.  What’s  more, 
cutting  down  on  illegal  file-sharing  can  go  a  long  way  toward 
freeing  bandwidth  and  disk  space  to  be  used  for  other — more 
productive  and  legal — activities. 

James  R.  Bottum,  vice  president  for  information  technology 
and  CIO  at  Purdue  University,  opted  not  to  ban  P2P  software 
outright  but  instead  to  discourage  it.  First,  he  and  his  staff  started 
educating  students  about  why  exchanging  copyrighted  material 
is  not  acceptable.  Then  they  limited  the  amount  of  bandwidth 
that  any  one  student  could  consume,  with  a  process  known  as 


| _ In  January,  a  federal  judge  in  Washington  ordered  Verizon  Communications  to  reveal 

to  the  Recording  Industry  Association  of  America  the  identity  of  an  Internet  subscriber 

suspected  of  illegally  exchanging  copyrighted  files. 


vide  that  incentive — and  prosecuting  individuals  won’t  get 
them  far.  “If  someone  has  a  stolen  copy  of  Shrek  that  they’re 
serving  up  to  the  world,  the  studio  is  not  going  to  go  after  the 
person;  they’re  going  to  go  after  the  corporation,”  Bauer  says. 

But  keeping  your  company  from  being  hauled  into  court  won’t 
be  the  most  difficult  issue  you’ve  ever  tackled.  “The  most  impor¬ 
tant  thing  is  having  a  policy,”  says  Tsvi  Gal,  senior  vice  presi¬ 
dent  and  CIO  of  Warner  Music  Group. 

“Issue  a  policy  stating  that  your  organiza¬ 
tion  opposes  the  illegal  infringement  of 
copyrighted  files  and  that  a  person  caught 
doing  it  on  company  assets  will  be  subject 
to  discipline.  If  people  understand  that  it  is 
wrong  and  that  there  may  be  steps  taken 


cio.com  What  about  your 
content,  such  as  catalogs  and 
financial  briefings?  Digital  rights 
management  technology  can  work 
for  you  too.  Find  out  in  MORE  THAN 
FOR  MUSIC  at  www.cio.com/printlinks. 


traffic  shaping.  When  a  student  gets  close  to  his  bandwidth 
quota — which  is  sufficient  for  typical  e-mail  and  Web  surfing 
but  not  enough  to  serve  up  Seinfeld  to  everyone  in  the  northern 
hemisphere — his  connection  slows  down. 

Although  Bottum  won’t  share  specifics,  he  says  the  process 
has  paid  off.  “If  you  have  80  percent  of  your  bandwidth 
chewed  up  by  people  dragging  music  and  movies  around,  is 
that  what  you  want  to  spend  your 
money  on?”  Bottum  asks.  And  if  you’re 
still  not  sure  of  the  answer,  just  call  the 
RIAA  or  MPAA.  H0 


Senior  Writer  Sarah  D.  Scalet  can  be  reached  at 
sscalet@cio.com. 
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imagine 


A  Java  application  management  solution 
that  allows  your  entire  organization  to  move 
in  the  same  direction  instead  of  fighting  to 
assign  blame. 

The  blame  game  is  over. 


Chances  are  that  your  team  knows  how  to  play  the  blame  game.  Here’s  how 
it  works:  your  new  mission-critical  enterprise  Java  application  sails  through 
the  QA  lab  with  flying  colors,  but  in  production  it  underperforms,  or  even 
crashes.  And  all  too  often,  correcting  the  problem  boils  down  to  guesswork 
and  finger-pointing— the  blame  game. 

Unfortunately,  the  people  in  charge  of  creating,  testing  and  monitoring  enter¬ 
prise  applications  can’t  talk  to  each  other.  It’s  not  because  they  need  more 
sensitivity  training,  group  hugs,  and  gurus.  It’s  because  they  need  a  common 
language  to  communicate  and  a  proven  management  solution  to  help  them 
find  and  fix  the  problem  fast.  They  need  Wily  4. 

Wily  4  gives  the  people  in  your  organization  the  real-time  information  they 
need  to  manage  and  fine-tune  production  applications  for  maximum  perform¬ 
ance,  isolate  bottlenecks  and  find  out  what’s  wrong  when  there’s  a  failure. 

Game  over. 

wily 

technology  J 

ENTERPRISE  JAVA  APPLICATION  MANAGEMENT 
1  888  GET  WILY  /  WWW.WILYTECH.COM 
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Microsoft’s  IT  boss  is  the  first  to  install,  the  first  to 
deploy  and  the  first  to  judge.  Consequently,  he’s 
learned  a  little  bit  about  rollouts. 


Rick  Devenuti  has  one  of  the  most  high-profile  IT  jobs  on  the  planet. 


In  addition  to  being  a  first-round  tester  for  unreleased  Microsoft  products,  he 
faces  a  user  base  made  up  of  some  of  the  most  computer-savvy  people  in  the 
world.  He  also  knows  that  if  anything  goes  wrong,  the  details  may  end  up  as 
front-page  news  within  hours— witness  Microsoft’s  very  public  tussle  with 
the  Slammer  virus  early  this  year. 


And  IT  isn’t  Devenuti’s  only  concern.  As  corporate  vice  president  and  CIO 
for  Microsoft’s  Operations  and  Technology  Group  (OTG),  he’s  also  responsi¬ 
ble  for  Microsoft’s  day-to-day  manufacturing  and  distribution  operations. 
Devenuti  recently  sat  down  with  CIO  editors  and  discussed  how  his  job  isn’t 
much  different  from  everyone  else’s— despite  what  some  may  think. 


Reader  ROI 

►  Learn  how  Microsoft’s  CIO 
is  involved  in  the  product 
development  process 

►  Discover  how  Microsoft 
attempts  to  cope  with 
security  issues 
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“If  we  can’t  come  up  with  a  scenario 
that  says  the  product  makes  sense, 

we  won’t  implement  it.” 


-RICK  DEVENUTI 


CIO:  You  use  new  Microsoft  products  before 
anybody  else.  Do  you  have  to,  by  default, 
deploy  all  new  Microsoft  products? 

RICK  DEVENUTI:  We  set  as  our  number-one 
priority  to  be  Microsoft’s  first  and  best  cus¬ 
tomer.  We  define  scenarios  for  why  we  would 
use  the  product  and  how  we  could  use  it.  If 
we  can’t  come  up  with  a  scenario  that  says 
the  product  makes  sense,  we  won’t  implement 
it.  But  when  we’re  talking  about  enterprise 
products,  there  are  very  few  that  wouldn’t 
make  sense.  For  example,  we’re  rolling  out 
Exchange  2003  Beta  2,  formerly  known  by 
the  code  name  Titanium.  For  Exchange  2003, 
we’ll  ship  15,000  copies  to  users  in  corporate. 
Today  we’ve  got  about  6,000  users — 2,500 
users  in  “dog  food”  [prerelease  Microsoft 
product]  and  3,500  users  in  deployment. 

But  we  don’t  just  throw  it  on  servers  and 
hope  that  we’re  still  in  business  tomorrow. 
We’ve  got  a  plan  for  15,000  users  on  Ex¬ 
change  2003  in  our  environment,  at  a  cer¬ 
tain  level  of  availability,  for  two  weeks  before 
we  can  ship  that  product  to  customers.  We 
will  complete  72,000  mailboxes  on  Exchange 
2003  before  we  release  the  product. 

Lots  of  vendors  are  now  using  their  own  prod¬ 
ucts  before  rolling  them  out  to  customers. 

We’ve  always  done  it,  but  the  way  we  do  it 
changed  two  years  ago.  We’ve  always  “eaten 
our  own  dog  food”  is  the  term.  But  rather 
than  be  a  test  lab,  I  want  to  be  an  IT  organi¬ 
zation  that  adds  value  to  the  feedback.  Instead 
of  just  taking  a  product  and  rolling  it  out,  we 
say,  What  are  the  scenarios  we  want  to  see  for 
it?  For  an  IT  pro,  that  means,  What  do  you 
have  that’s  of  value  to  me?  Then  I  go  up 
against,  Flow  are  you  going  to  market  this 
thing?  What  is  it  that  you’re  going  to  say  to 
customers?  If  you’re  going  to  say,  “server  con¬ 
solidation,”  I’d  better  have  a  scenario  that  does 
server  consolidation.  As  opposed  to  saying, 
“It’s  running  in  Microsoft,”  which  we’ve  been 
doing  for  years  and  years. 

What  we  wanted  to  change  was  not  that 
it  runs  here,  but  that  it  runs  under  these  sce¬ 
narios.  And  so  we  get  the  product  group  to 
align  under  shared  goals  that  say,  It  runs 
under  these  scenarios,  and  if  you’re  going  to 


market  server  consolidation  and  we  can’t 
prove  it,  [Microsoft  CEO]  Steve  [Ballmer] 
will  stop  that  marketing.  I  just  have  to  go 
to  Steve  and  say,  “It  doesn’t  work.” 

We  haven’t  had  one  of  those  meetings  in  a 
while.  OTG  has  developed  its  credibility  with 
the  product  groups,  so  instead  of  requiring 
escalations  [to  upper  management]  to  address 
key  issues,  the  product  groups  are  invested 
in  a  strong  partnership  with  us.  The  internal 
deployment  through  OTG  has  become  an 
integral  part  of  the  development  process. 

Given  the  importance  of  successful  product 
rollouts  at  Microsoft,  you’ve  obviously 
developed  a  process  for  doing  that.  Do  your 
customers  ask  for  that? 

We  have  a  lot  of  discussions  with  customers 
about  our  deployment  strategy.  If  we  look  back 
and  say,  “If  we  knew  then  what  we  know 
today,  we  probably  would  have  done  things 
differently,”  we  share  that  with  our  customers. 

When  we  first  rolled  out  Windows  2000, 
there  was  a  lot  of  group  discussion  about 
how  did  you  decide  the  number  of  forests  [or 
groups  of  users]  and  why  did  you  create  these 
domains,  and  how  did  you  lay  out  the  Active 
Directory.  Since  the  Active  Directory  was 
brand  new,  being  the  first  ones  to  use  it  was 
very  helpful  to  customers.  We  had  a  lot  of 
deep  technical  discussions  with  our  deploy¬ 
ment  team.  Since  we’re  early  adopters,  we 
spent  a  lot  of  time  as  we  went  through  the 
process  communicating  what  we  were  think¬ 
ing  and,  frankly,  what  doesn’t  work  well. 

The  best  example  revolves  around  Win¬ 
dows  2000  and  the  Active  Directory.  There 
were  two  scenarios  that  needed  extra  work. 
One  was  getting  the  Active  Directory  and 
server  applications  such  as  Exchange  to 
work  together  to  utilize  the  Active  Directory 
effectively  so  that  the  end-to-end  solution 
was  solid.  The  second  was  the  multiforest 

focus  guide  The  Slammer  virus 

forced  Microsoft  to  rethink  procedures. 

What’s  it  going  to  take  in  your  company?  On 

sale  now:  CIO  FOCUS:  SECURING  INFOR¬ 
MATION  ASSETS  at  www.theciostore.com . 
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scenario.  The  problems  here  revolved  around 
ensuring  that  all  the  components  that  modi¬ 
fied  data  in  the  directory  (account  creation 
and  management  systems,  applications,  syn¬ 
chronization  tools)  worked  together  to  keep 
the  data  in  the  directory  consistent  while 
reducing  the  complexity  of  managing  the 
whole  system.  OTG’s  impact  really  becomes 
important  with  those  systemwide  issues  that 
span  multiple  product  groups. 

How  do  you  handle  enforcing  IT  policy? 

As  a  company,  we  really  try  to  avoid  any 
type  of  bureaucracy.  We  do  not  manage 
desktops.  It’s  a  decision  we  made  a  long  time 
ago.  We  don’t  want  to  tell  people  that  they 
can  only  use  a  particular  version  of  Office. 
We  don’t  think  that’s  going  to  grow  a  com¬ 
pany  that  will  have  people  thinking  outside 
of  what  they  see  today.  We  have  to  support 
the  desktops,  but  we  don’t  manage  them. 
The  only  policies  that  we  put  in  place  are 
around  security.  What  they  can  do  and  what 
we  will  force  them  to  do  if  they  don’t  do  it 
voluntarily.  Outside  of  that,  we  let  them  do 
virtually  whatever  they  want  on  the  desktop. 

If  people  go  to  a  server  and  pull  some¬ 
thing  down,  and  it  crashes  their  machines, 
we  as  a  team  will  have  to  go  fix  them.  Does 
that  have  a  productivity  hit?  Yeah.  It  has  a 
cost  and  a  productivity  hit  for  them.  On  the 
other  hand,  if  they  pull  something  down 
that  they  haven’t  seen  before,  and  it  excites 
them  and  results  in  a  better  product,  that’s  a 
pretty  good  price  to  pay. 

Has  the  recent  Slammer  incident  caused 
you  to  change  any  of  your  policies? 

The  security  of  the  network  relies  on  three 
things  being  in  balance:  people,  process  and 
technology.  In  the  case  of  the  Slammer  virus, 
we  had  a  process  in  place  for  forcing  patches 
in  the  data  center,  we  had  a  process  of  noti¬ 
fying  end  users  of  the  patch,  and  we  had  the 
technology  that  enabled  the  patching 
process.  Where  we  fell  short  was  with  our 
people.  The  Slammer  hit  our  developer  labs 
that  sit  outside  of  our  managed  network 
environment.  We  were  relying  on  these  lab 
managers  to  update  the  machines  to  the  lat- 


Q&A 


Rick  Devenuti 


est  patches,  and  they  didn’t  do  it  in  a  timely 
manner.  As  a  result  of  the  Slammer,  we  are 
considering  whether  a  forced  patching  pol¬ 
icy  or  further  network  segmentation  to  iso¬ 
late  our  labs  is  preferable  on  a  go-forward 
basis.  Our  recommendation  will  be  finalized 
during  the  next  several  weeks. 

Speaking  of  security,  what  is  your  role  in 
relation  to  all  the  people  who  think  about 
security  within  Microsoft? 

I  like  to  think  I’m  the  person  most  con¬ 
cerned  about  security  in  the  enterprise.  If 
there’s  an  incident  that  puts  our  information 
or  our  customers’  information  at  risk,  it’s 
happening  on  my  watch,  so  I’m  involved  at 
a  fairly  granular  level. 

To  be  secure  you  need  great  technology, 
but  just  as  important,  you  need  great  people 
and  great  processes.  We’ve  got  a  team  that 
focuses  on  the  technology;  I  focus  on  people 
and  processes.  The  biggest  weakness  is  people. 

As  in  any  environment,  there’s  a  myriad  of 
ways  that  users  can  significantly  reduce  the 
security  of  an  enterprise.  One  simple  exam¬ 
ple  is  password  management.  All  too  often, 
employees  unconsciously  put  our  network 
security  at  risk  by  any  number  of  things  such 
as  posting  their  passwords  on  their  monitors, 
always  using  the  same  passwords,  sharing 
their  passwords  with  others  and  the  like. 
Another  issue  is  not  implementing  patches 
in  a  timely  manner.  The  people  part  is  always 
the  hardest  to  manage. 

It  seems  to  be  human  nature  not  to  patch 
daily  or  not  to  update  antivirus  definitions 
until  it’s  too  late.  Is  it  the  same  at  Microsoft? 

We’ve  done  a  lot  of  [internal]  marketing  under 
the  Safe  Secure  Smart  banner  around  security. 
We  decided  IT  needed  to  market  security  to 
the  user  base.  A  lot  of  that  started  after  9/11. 
We  took  that  opportunity  while  people  were 
thinking  about  physical  security  to  also  start  a 
marketing  campaign  around  information  secu¬ 
rity.  But  people  are  people,  and  we’re  hoping 
that  they’re  pretty  busy  with  their  jobs.  So 
there  are  some  things  that  we’ve  had  to  do. 
We’ve  just  rolled  out  on  the  remote  access  side; 
27,000  people  in  Microsoft  need  to  have  a 


smart  card  to  connect  remotely.  We’ve  intro¬ 
duced  another  new  policy  where  you  have  to 
use  Connection  Manager.  With  Connection 
Manager  we’re  able  to  make  sure  that  you 
have  the  current  version  of  the  antivirus  or  you 
can’t  connect.  The  feature  pack  of  Systems 
Management  Server  that  will  be  introduced 
shortly  is  something  that  we’ve  worked  very 


“Where 
[Microsoft]  fell 
short  with 
stopping  the 
Slammervirus 
was  with  our 
people.” 

-RICK  DEVENUTI 

closely  with  the  product  folks  on,  which  allows 
us  to  force  patches  to  the  desktop.  We’ll  adver¬ 
tise  them,  and  depending  on  the  patch,  give 
our  clients  an  opportunity  to  decide  when  they 
want  to  patch.  But  when  we  decide  it’s  time,  if 
they  haven’t  patched,  we  can  force  them. 

The  reason  why  we  like  being  the  “first  and 
best  customer”  is  the  ability  to  sit  down  with 
the  product  group  during  a  series  of  meetings 
and  say,  “This  is  what  I  need  to  run  the  enter¬ 


prise  securely.  I  need  this  to  be  in  your  product, 
or  I  have  to  go  find  a  different  product  to  do 
it.  Windows  Update  is  not  it.” 

Does  the  nature  of  the  in-house  Microsoft 
user  play  into  this?  Because  he’s  more  tech¬ 
nically  sophisticated  than  the  average  user, 
does  that  present  challenges  for  you  or 
make  things  easier? 

I  think  it  plays  both  ways.  Microsoft  has  more 
than  50,000  employees  now,  with  another 
10,000  to  15,000  interns  and  consultants. 
We’ve  got  users  who  are  sophisticated  tech¬ 
nically,  but  we’ve  also  got  accountants,  we’ve 
got  salespeople — we’ve  got  the  full  gamut  that 
any  enterprise  would.  We’re  a  little  tech  heavy, 
but  we’ve  got  to  think  about  our  technology 
meeting  the  needs  of  the  entire  company. 

Some  people  put  every  bit  that  they  find 
on  any  server  anywhere  in  the  company  on 
their  machines,  and  we  applaud  that  cre¬ 
ativity  and  support  it,  but  it  does  make  sup¬ 
porting  desktops  a  little  difficult.  We’re  not 
talking  beta  versions  of  the  next  code;  we’re 
talking  about  alpha  versions,  or  “Something 
I  just  threw  on  the  server  that  I  wrote  yes¬ 
terday,  and  it’s  cool,  and  you  know,  let  me 
try  it.”  So  we  do  run  into  some  interesting 
experiences  trying  to  maintain  the  systems. 

Do  you  think  there’s  a  higher  standard  of 
performance  for  your  IT  department  than 
for  most  because  you’re  so  high  profile? 

We  had  an  incident  in  October  of  2000 
[when  a  hacker  penetrated  the  corporate  net¬ 
work]  on  the  security  side  that  alerted  me  to 
the  impact  on  the  company  of  us  not  doing 
our  job  well.  So  we  take  that  standard  pretty 
high  as  an  organization.  There  are  very  few 
things  that  we  do  here  that  don’t  become 
public.  It  takes  about  four  hours  for  Steve  to 
send  an  e-mail  before  it  shows  up  some¬ 
where.  So  if  we  have  a  large  outage  because 
of  something  we  do,  we  can  say  it’s  [a  prere¬ 
lease  product],  but  it’s  going  to  look  like  a 
large  outage.  And  somebody’s  going  to  write, 
“Exchange  2003  isn’t  ready  and  that  proba¬ 
bly  means  a  delay  in  the  product.”  We  realize 
that  comes  with  the  territory.  Holding  your¬ 
self  to  that  standard  is  pretty  fun.  QQ 
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If  you  re  busy  monitoring  your  servers, 
who's  watching  your  business? 


The  new  HP  ProLiant  DL740  The  new  HP  ProLiant  DL760 

8-way  with  hot-piug  G2  8-way  with  hot-plug 

RAID  memory.  RAID  memory. 


•  Ultradense  4u  modular  chassis 
with  up  to  eight  Intel®  Xeon™  MP 
1.5  GHz  or  2.0  GHz  processors 

•  Up  to  64GB  addressable  memory 

•  Groundbreaking  F8  chipset 

■  6-64  bit/100  MHz  PCI-X  slots 

•  Integrated  Lights-Out  Standard 
(iLO)  for  Remote  Server  Mgmt. 


•  Up  to  eight  Intel®  Xeon™  MP 

1.5  GHz  or  2.0  GHz  processors 

•  Up  to  64GB  addressable  memory 

•  Groundbreaking  F8  chipset 

•  10-64  bit/100  MHz  PCI-X, 

1-64  bit  33  MHz  slots 

•  Remote  Insight  Lights-Out  Edition  II 
(optional)  for  Remote  Server  Mgmt. 


What  challenges  do  you  face  today?  Decreasing  budgets?  The 
lurking  possibility  of  downtime?  It's  hard  enough  to  focus  on 
moving  your  business  forward  when  you're  constantly  looking 
over  your  shoulder  to  see  if  everything  is  up  and  running. 

Besides,  that's  the  job  of  the  new  HP  ProLiant  DL700  series 
running  Intel®  Xeon™  MP  processors.  An  adaptive  infrastructure 
begins  with  these  HP  ProLiant  servers  which  come  equipped 
with  tools  that  predict,  self-diagnose  and  fix  many  fault 
conditions.  And  now  with  hot-plug  RAID  memory  exclusively 
from  HR  you  can  add  or  replace  DIMMs  without  turning 
your  systems  off.  Both  work  with  the  HP  ProLiant  Essentials 
Foundation  Pack  featuring  Insight  Manager  7software  which 
monitors  and  controls  your  infrastructure  for  maximum  uptime. 

At  the  end  of  the  day,  you'll  have  more  control  over  your 
infrastructure,  help  avoid  unplanned  downtime  and  reduce 
overall  maintenance  costs.  Not  to  mention  freeing  yourself 
up  for  more  important  things. 

To  learn  how  HP  ProLiant  servers  can  be  a 
part  of  maximizing  your  company's  uptime, 
download  CMP's  executive  brief  on  high  availability 
at  www.hp.com/go/proliant83  or  call 
1  -800-282-6672,  option  5,  and  mention  code  YPX. 


invent 
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Career  Counsel 

Advice  to  Aspiring  CIOs  and  IT  Managers 


A  12-Step 

Program  for 

Aspiring  CIOs 

Mattress  Giant’s  CIO  suggests  a  path  to  the  big  chair 

BY  STEVE  WILLIAMS 

A  FORMER  BOSS  RECENTLY  WROTE  to  me  about  how  much  he 
enjoys  watching  those  whom  he  had  mentored  in  previous 
years  succeed  in  their  life’s  endeavors.  My  own  memories  went 
back  to  days  when,  together,  we  had  wrestled  with  converting 
the  databases  of  an  acquisition  and  visiting  with  English- 
impaired  Japanese  joint  venture  partners.  Those  seemed,  at  the 
time,  trying  days.  But  in  retrospect,  they  were  tiny  jewels  of 
experience  that  my  former  managers  and  mentors  bestowed 
on  me.  I  consider  myself  lucky  to  have  worked  for  and  beside 
each  of  them. 

And  now,  I’m  the  former  boss.  It  fills  me  with  an  often  too- 
fleeting  moment  of  paternal  pride  as  I  see  a  programmer  of 
mine  with  his  own  consultancy  and  a  former  project  manager 
get  appointed  to  his  first  vice  presidency. 

The  importance  of  good  mentoring  in  our  profession  is  often 
overlooked.  However,  as  CIOs  we  have  a  duty  (and  the  privi¬ 
lege)  to  share  as  much  of  our  experiences  and  life’s  lessons  as 
we  can  with  the  future  of  our  industry.  We  can  get  so  caught  up 
in  the  daily  ordeal  of  “leaping  the  tallest  building  in  a  single 
bound,”  that  we  forget  to  teach  our  wunderkinder  how  to 


leap.  It’s  not  so  much  the  technology  skills  that  we  can  share 
with  them.  More  important,  we  need  to  leave  them  the  keys  to 
successful  careers  as  technology  executives  and  visionaries. 

Just  as  a  cub  reporter  learns  the  art  of  opening  the  doors  of 
confidential  sources,  our  proteges  need  to  learn  the  art  of  effec¬ 
tive  boardroom  strategies.  It’s  not  only  important  to  the  devel¬ 
opment  of  their  career,  but  it  is  integral  to  the  successful  growth 
and  evolution  of  our  industry. 

To  that  end,  I  will  take  a  potentially  pretentious  stab  at  heed¬ 
ing  my  own  advice  by  offering  some  of  my  own  pearls  of  wis-  | 

_i 

dom  to  those  aspiring  IT  managers  looking  for  a  pathway  to  | 
the  CIO  office.  The  following  are  some  of  the  principles  that  2 
helped  me,  at  37,  become  the  youngest  IT  director  at  a  $6  bil-  “ 

O 

lion  retail  company  and  a  CIO.  5 

Cd 

1.  Embody  CRM.  Every  person  in  your  company,  whether  it’s  7 

the  janitor  or  the  CEO,  is  your  customer.  And  you  should  treat  d 
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IS  THE  ULTIMATE 


FIREWALL 

(ISC)2  -  SECURITY  THAT  TRANSCENDS  TECHNOLOGY5" 


Even  organizations  with  identical  security  technology  can  have  information  systems  whose  trustworthiness  isn’t 
comparable.  Skilled,  motivated  and  reliable  security  architects,  designers,  implementers,  administrators  and 
managers  make  the  difference.  Experts  whose  abilities  are  coveted,  because  as  holders  of  CISSP®  and  SSCP® 
credentials,  they’re  the  trusted  constituents  of  the  non-profit  consortium  of  industry  leaders  known  as  (ISC)2”. 

(ISC)2  is  a  non-profit  consortium  of  industry  leaders  whose  charter  is  to  compile  and  maintain  the  most 
comprehensive  Common  Body  of  Knowledge  (CBK)™.  And  from  this  CBK,  develop  the  industry  standards  for 
training  and  credentialing.  Those  professionals  who  earn  CISSPs  and  SSCPs,  share  the  credibility  of  the 
internationally  recognized  Gold  StandardSM  in  information  security. 


For  more  information  on  training  or  certification,  please  call 

1.888.333.4458 

or  visit  www.isc2.org 


(ISC) 


CISSP* 


SSCP* 


Career  Counsel 


every  customer  as  if  he  had  the  ability  to  promote  you  or  fire 
you.  Believe  it  or  not,  that  is  the  most  important  step  (and  the 
most  overlooked)  in  your  being  looked  upon  as  executive  ma¬ 
terial — particularly  because  it’s  so  rare  in  IT  professionals. 

2.  Change  your  dialect.  You  must  be  able  to  effectively 
communicate  with  nontechnical  people.  If  you  cannot  carry  a 
30-minute  conversation  with  other  department  heads  on  busi¬ 
ness  issues  that  are  not  technical  in  nature  (for  example,  adver¬ 
tising,  finance,  merchandising,  sales,  real  estate  and  so  on),  the 
prospect  of  your  reaching  a  successful  executive  level  in  any 
organization  is  slim.  I  make  it  a  habit  to  interact  with  as  many 
non-IT  managers,  directors  and  executives  as  possible  during 
the  week,  and  I  intentionally  do  not  discuss  technology.  You  can 
ask  them  about  current  and  relevant  issues  facing  their  function 
(for  example:  “How  did  the  focus  groups  go  last  night?”  “Do 
you  think  we  will  experience  any  fallout  over  the  Chapter  1 1 
filing  by  [insert  supplier  or  competitor’s  name]?”  “I’ve  noticed 
employee  morale  improving  in  our  field  offices.  Have  you  seen 
the  same  trend?”).  Those  types  of  daily  exchanges — especially 
at  the  senior  level — instill  the  view,  if  even  subconsciously,  that 
you  are  a  managerial  peer,  not  just  the  “technology  guy.” 

3.  Create  a  service  culture.  Demand  step  number  one  from 
your  direct  reports.  I  have  a  zero-tolerance  rule  for  bad  cus- 

As  CIOs  we  have  a  duty  to  leave  the  future 
leaders  the  keys  to  successful  careers  as 
technology  executives  and  visionaries. 


tomer  service  and  a  religious  desire  to  recognize  good  service. 
The  translation  of  these  values  will  result  in  a  culture  of  premium 
service  and  will  help  build  your  credibility  as  a  good  manager. 

4.  You're  only  as  good  as  your  team.  Remember  that  your 
employees  are  also  your  customers — so  treat  them  as  such.  A 
couple  of  my  former  bosses  eventually  became  my  employees 
and  I  remembered  how  I  was  treated.  It  doesn’t  matter  where 
we  are  on  the  organizational  chart.  Respect  for  your  subordi¬ 
nates  will  also  help  reduce  turnover  and  show  senior  manage¬ 
ment  that  you  are  a  leader  (another  rarity  in  IT  people). 

5.  Purple  monkey  water  wrench.  Got  that?  Exactly.  Your 
customers  no  more  understand  your  techno-speak  than  you 
understand  the  heading  for  this  point.  Never  talk  down  to  anyone. 
One  condescending  exchange  can  erase  years  of  hard  lobbying. 

6.  Follow  up  at  all  cost.  Follow-up  is  more  important  than 
all  the  technical  qualifications  in  the  world.  I  have  had  some 
very  talented  people  work  for  me,  and  I  had  to  let  many  of 
them  go  because  they  could  not  get  this  principle.  Too  often,  we 
IT  people  will  fix  something  or  complete  a  project  but  never  let 
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the  customer  know  it’s  done.  Always  follow  up. 

7.  “You  won’t  believe  the  call  I  just  received.”  Make  proac¬ 
tive  calls  to  your  customers  on  a  regular  basis.  Ask  them  how 
you  and  your  group  are  doing  and  if  there  is  anything  you  can 
help  them  with.  Then  watch  as  the  jaws  drop.  People  are 
floored  by  this  level  of  service,  and  they  will  sing  your  praises. 

8.  Skillfully  manage  expectations.  Never  fall  victim  to  the 
classic  IT  pitfall  of  overcommitting  and  underdelivering.  It’s  hard 
to  say  “no”  because  we  really  like  the  adrenaline  rush  of  solving 
problems.  The  minute  you  say  “yes,”  however,  you  have  a  com¬ 
mitment.  When  you  don’t  deliver,  you  not  only  guarantee  a  dis¬ 
appointed  customer  experience,  but  you  send  a  signal  that  you 
are  a  poor  planner.  Poor  planners  seldom  make  their  way  to  the 
executive  promotion  short-list.  Overdeliver  at  every  opportunity. 

9.  Stay  as  far  away  from  company  politics  as  you  can.  Do 
not  partake  in  petty  infighting  in  your  company.  If  you  are 
approached  or  tempted  to  be  drawn  in,  find  a  business  trip 
and  go  on  it.  Be  your  own  person.  You  will  be  respected  when 
the  mudslinging  stops  and  the  dust  settles. 

10.  Get  up  close  and  personal  with  financials.  I  have  never 
met  an  effective  corporate  executive  who  didn’t  understand 
basic  financial  principles.  Finance  is  the  business  of  business. 
And  you  can  only  go  so  far  up  the  ladder  without  at  least  a 

small  mastery  of  the  debit/credit  side.  More  specifi¬ 
cally,  you  should  know  how  to  read  financial  state¬ 
ments  such  as  a  P&F  statement,  an  income  statement, 
a  balance  sheet  and  so  on.  And  I  mean  really  learn 
what  the  numbers  are  saying.  Identify  the  relation¬ 
ships  and  trends  between  gross  margin  and  sales,  how 
fixed  and  variable  costs  impact  your  company’s  prof¬ 
itability,  the  debt  position  of  your  company,  and  so 
on.  Nothing  impresses  a  CEO,  COO  or  CFO  more  than  hear¬ 
ing  an  IT  person  intelligently  participate  in  a  financial  discussion 
about  the  business,  trends  and  opportunities.  Believe  me,  they 
will  see  you  in  a  whole  different  light. 

11.  Networking  without  wires.  There’s  an  old  saying,  “It’s 
not  what  you  know  but  who  you  know.”  Maintain  your  con¬ 
tacts  with  former  colleagues,  bosses  and  even  vendor  account 
representatives.  Join  and  be  active  in  professional  associations, 
which  are  well  worth  the  dues,  and  you  will  build  a  great  cir¬ 
cle  of  contacts  in  the  process. 

12.  Forget  the  Alamo.  Remember  Enron.  Finally,  whether 
you  are  eventually  given  the  key  to  the  executive  washroom 
or  decide  that  cube  life  is  not  so  bad  after  all,  never  compromise 
your  ethics.  Enough  said.  BE3 


Steve  Williams  is  senior  vice  president  and  CIO  of 
Mattress  Giant,  a  specialty  bedding  retailer  based  in 
Addison,  Texas.  You  can  send  e-mail  to  him  at 
srwilliams@mattressgiant.com. 


" Our  sights  are  set  on  corporate 
growth.  We  need  to  move  fast 
to  stay  competitive. 

My  IT  department  can  barely  keep 
their  heads  above  water  with  the 
day  to  day  issues,  let  alone  have 
time  to  research  new  system  options 


I'm  willing  to  invest  in  the  education 
of  today's  technology  if  the  return 
improves  our  productivity  and 
bottom  fine  results. " 


i  - 


The  Information  and  Communications  Technology  (ICT) 
Conference  and  Tradeshow  -  strictly  business  to  business. 


June  18  -  20,  2003 
Jacob  K.  Javits  Center 
New  York  City 


CeBIT  America's  3 -day,  enterprise  only  Conference  and 
Expo  provide  direct  access  to  the  world's  systems,  applications, 
communications  and  networking  leaders,  in  one  place,  at  one  time. 

If  you're  charged  with  integrating  technologies  and  applications  to 
meet  your  organization's  business  objectives,  then  we'll  see  you  at 
CeBIT  America  -  Where  the  World  Turns  for  ICT  Solutions. 

Register  Now!  Visit  www.cebit-america.com/info1  to  register  and 
view  our  online  brochure,  or  give  us  a  call,  212-465-0531. 


Some  of  our  participating  partners:  Builder.com  •  Business  Council  for  the  United  Nations  •  CNET  News.com  •  Computerworld  •  Gartner 
•  Information  Technology  Association  of  America  •  MultiMeteor  •  Network  World  •  New  York  eComm  •  Novell  Best  of  BrainShare 
•  Oracle  •  Tech  Corps  •  TechRepublic  •  Wall  Street  Journal  •  Wall  Street  Technology  Association  •  ZDNet 
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Build  It  Free 

Open-source  development  tools  offer  low-cost,  high-quality  options 

BY  DYLAN  TWENEY 


Edited  by  Christopher 
Lindquist.  Send  your 
thoughts  and  ideas 
for  future  columns  to 
clindquist@cio.com. 


ANDRIG  MILLER  first  got  excited  about  Java’s 
possibilities  in  March  1998,  when  Sun  Microsys¬ 
tems  released  the  initial  version  of  the  Enterprise 
JavaBeans  (EJB)  specification.  But  it  was  more 
than  four  years  before  Miller,  vice  president  of 


technical  architecture  for  office  product  supplier 
Corporate  Express,  was  ready  to  put  an  EJB 
application  into  production.  When  the  company 
finally  deployed  its  first  EJB  application,  in 
December  2002,  it  was  running  on  JBoss,  an 


Open-source  development... Power  line  Internet?...  Networked  devices 
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ILLUSTRATION  BY  PETER  BENNETT 


What  day  is  it?  Sunday? 


I'm  only  9  hours  into  a  32  hour  backup. 


That's  just  too  long. 


There  are  plenty  of  ways  to  shorten  backup  windows.  And  StorageTek  is  just  the  company  to  find  the  one  that's  right 
for  you.  Maybe  it's  BladeStore  as  part  of  disk-to-disk  backup,  or  an  L-Series  automated  tape  library  with  the  industry's 
fastest  tape  drive  -  the  T9940B.  Whatever  the  solution,  we  think  you  deserve  a  day  of  rest.  Learn  more  about  this 
story  and  other  ways  we  can  help  you  at  www.savetheday.com  STORAC ETE K  Save  the  Day.™ 

I  \ 


j  Emerging  Technology 


open-source  application  server  that  com¬ 
petes  with  platforms  such  as  BEA  Systems’ 
WebLogic  and  IBM’s  WebSphere. 

That  first  application  tracks  order  status 
in  a  variety  of  legacy  systems,  handling  as 
many  as  75,000  transactions  per  hour,  says 
Miller.  Reliability  and  speed  were  essential 
considerations.  “We  got  a  lot  of  benefits 
from  taking  our  time — for  instance,  the 
EJB2.0  spec  matured  a  lot,”  he  says.  JBoss 
improved  too  and  added  such  enterprise- 
friendly  features  as  support  for  clustered 
servers.  Corporate  Express,  a  $5  billion 
company,  now  has  six  EJB  applications  in 
production,  all  running  on  JBoss. 

JBoss  is  just  one  of  a  wide  array  of  open- 
source  development  tools  that  are  slowly 
gaining  acceptance  among  enterprise  devel¬ 


petitive  with  commercial  alternatives.  For 
example,  Miller’s  team  evaluated  several 
commercial  application  servers,  including 
WebLogic  and  WebSphere,  but  couldn’t 
find  the  combination  of  performance, 
support  and  development  features  that 
Corporate  Express  needed. 

“Besides  JBoss,  we’ve  adopted  a  lot  of 
other  open-source  things  since  2000,” 
Miller  says,  noting  the  company’s  use  of 
Linux,  Apache,  OpenSSL,  Tomcat  (an 
Apache  add-on  for  processing  Java  Servlets 
and  JavaServer  Pages),  Jakarta  Lucene  (a 
text  search  engine)  and  Jakarta  Jetspeed 
(an  enterprise  information  portal).  “The 
prime  driver  for  us  is  not  really  the  cost — 
though  the  cost  savings  have  been  very 
substantial — but  the  software  quality.” 


More  and  more,  open-source  tools  are 
fulfilling  the  CIO’s  needs. 


opers.  Cost  is  often  a  primary  driver.  Miller 
estimates  that  his  company  has  saved 
$6  million  in  the  past  three  years  by  using 
JBoss  and  other  open-source  tools.  As 
Marc  Fleury,  president  and  founder  of  the 
JBoss  Group,  puts  it,  “Most  people  under¬ 
stand  free.”  (Even  BEA  understands:  The 
company  recently  announced  no-cost  one- 
year  developer  licenses  for  WebLogic.) 

Quality  Code 

Cost  isn’t  the  only  factor,  however.  Devel¬ 
opers  are  attracted  to  open-source  tools 
by  their  flexibility,  the  capability  to  cus¬ 
tomize  the  underlying  code,  their  high 
quality,  and  the  willingness  of  the  open- 
source  community  to  help  with  imple¬ 
mentation  and  development  problems. 
“Open-source  projects  in  general  seem  to 
be  pretty  good  at  fulfilling  developer  needs 
quickly,”  notes  Greg  Hinkle,  a  technology 
specialist  at  IT  consultancy  Sapient.  That’s 
not  surprising,  given  that  developers  are 
the  ones  driving  open-source  projects. 

But  more  and  more,  open-source  tools 
are  also  fulfilling  the  CIO’s  needs — 
especially  as  the  tools  become  more  com¬ 


Open-source  tool  use  is  widespread, 
but  it  accounts  for  a  minority  of  develop¬ 
ment  happening  in  the  enterprise  today. 
According  to  Evans  Data’s  2002  “North 
American  Developer  Survey,”  53  percent 
of  developers  use  some  open-source  code 
(from  repositories  such  as  SourceForge), 
and  5 1  percent  use  open-source  develop¬ 
ment  tools  at  least  occasionally.  However, 
most  developers  spend  the  majority  of 
their  time  using  commercial  products. 
Only  9  percent  spend  more  than  half  their 
time  using  open-source  tools. 

Still,  interest  continues  to  mount. 
“There’s  more  and  more  acceptance  of 
open-source  tools  as  things  like  Linux  and 
Apache  become  more  widespread,”  says 
Mark  Driver,  research  director  at  Gartner. 

An  Array  of  Tools 

Developers  who  want  open-source  devel¬ 
opment  tools  have  a  smorgasbord  to 
choose  from.  These  include  low-level 
programming  tools  such  as  GNU  Emacs, 
a  text  and  code  editor,  and  the  GNU 
Compiler  Collection,  a  suite  of  compilers 
for  C,  C++,  Fortran,  Java  and  other  lan- 


Open  Sources 

Technology  Open-source 
development  tools. 

Anticipated  benefits  Low  cost. 
Widespread  support  through 
development  communities.  Ability 
to  modify  source  code.  Tools  often 
constitute  de  facto  standards. 

Hurdles  Tool  quality  varies.  Some 
tools  lack  support.  Slow  upgrade 
cycles.  Long  learning  curve  com¬ 
pared  with  commercial  tools. 

Primary  markets  Enterprise 
development  teams,  especially 
those  already  using  Linux  or  other 
open-source  software.  Software 
vendors.  IT  consultancies. 

Estimated  cost  Zero  licensing 
fees.  Support  contracts  from  com¬ 
mercial  vendors  add  variable  costs. 

Major  open-source  projects 

CVS  ( www.cvshome.org ):  Code 
management  system. 

Eclipse  (www.eclipse.org):  IBM- 
sponsored  integrated  development 
environment. 

GNU  Compiler  Collection 
( gcc.gnu.org ):  Compilers  for  C, 
C++,  Java  and  other  languages. 
JBoss  ( www.jboss.org ):  Enterprise 
JavaBeans  application  server. 

Mono  ( www.go-mono.com ):  Proj¬ 
ect  to  replicate  Microsoft  .Net 
Development  Framework  functions 
on  an  open-source  platform. 
NetBeans  ( www.netbeans.org ): 

Sun  Microsystems-sponsored  inte¬ 
grated  development  environment 
extensible  via  modules. 

Tomcat  (Jakarta.apache.org/ 
tomcat ):  Apache  module  for  Java 
Servlets  and  JavaServer  Pages. 

Open-source  repositories 

Apache  Jakarta  Project 

( jakarta.apache.org ):  Repository  of 
open-source  solutions  for  Java. 
SourceForge  ( sourceforge.net ): 
Repository  of  open-source  code 
and  applications. 
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guages.  Such  tools  often  come  into  an 
organization  simply  because  they’re  so 
widespread  in  the  Unix  world  and  devel¬ 
opers  have  been  using  them  for  years. 
“Emacs  has  a  very  steep  learning  curve, 
but  people  who  are  very  familiar  with  it 
can  be  incredibly  productive  and  effi¬ 
cient,”  says  John  Alberg,  cofounder  and 
vice  president  of  engineering  at  Employ- 
ease,  a  provider  of  human  resources 
software. 

Developers  often  use  newer  application 
platforms,  such  as  JBoss  and  Tomcat,  to 
develop  applications — and  increasingly  to 
deploy  the  final  apps.  (JBoss  was  down¬ 
loaded  more  than  2  million  times  last  year, 
according  to  Fleury.)  One  advantage  cited 
by  many  managers  is  that  JBoss  lets  devel¬ 
opers  test  EJB  code  on  their  desktop  sys¬ 


tems  without  having  to  first  deploy  it  to  a 
server  elsewhere,  an  efficiency  that  can  sig¬ 
nificantly  cut  development  time. 

Finally,  there  are  open-source  integrated 
development  environments  (IDEs)  such  as 
the  IBM-driven  Eclipse  project  and  Sun 
Microsystems’  NetBeans.  The  Eclipse  com¬ 
munity,  which  began  in  2001,  has  grown 
rapidly,  with  more  than  175  tool  vendors 
providing  plug-ins  for  the  platform.  Part 
of  the  reason  for  its  popularity  is  that  it 
provides  a  common,  simple  framework  for 
development — and  for  integrating  a  dis¬ 
parate  array  of  tools.  “The  open-source 
community  24  months  ago  was  a  collec¬ 
tion  of  nifty  tools,  but  there  really  wasn’t 
an  IDE  out  there  to  bring  those  tools 
together  and  to  shorten  the  learning 
curve,”  says  Andy  George,  vice  president 
of  research  and  development  at  GE  Retail 
Systems,  a  provider  of  software  to  the 
retail  industry.  “Now,  any  Joe  Engineer 
can  take  the  Eclipse  product  and  be  pretty 
productive.” 


Setting  a  Standard 

Another  factor  driving  open-source  alter¬ 
natives  is  standardization.  “Open  source 
tends  to  work  well  when  the  technology  is 
relatively  straightforward  and  simple,” 
says  Driver.  Case  in  point:  Apache  domi¬ 
nates  the  Web  server  market  because  the 
relevant  standards  are  so  well-established 
that  commercial  vendors  can  no  longer 
differentiate  their  products  profitably.  As 
the  J2EE  standard  matures,  Driver  sees  a 
similar  shift  happening  in  the  application 
server  market.  However,  he  says,  “I  don’t 
know  that  we’re  ever  going  to  see  JBoss 
achieve  the  critical  mass  of  Apache 
because  there  are  many  well-established 
commercial  alternatives  to  [JBoss].” 

Apache  Software  Foundation  cofounder 
Brian  Behlendorf  disagrees.  “I  think  that 


space  is  ripe  for  commodification,”  says 
Behlendorf,  who  is  also  founder  and 
CTO  of  open-source  software  and  service 
provider  CollabNet.  “People  are  getting 
tired  of  spending  $10,000  per  CPU.  For 
most  people,  running  websites  with  a  mil¬ 
lion  hits  or  less  per  day,  you  can  accom¬ 
plish  a  lot  with  the  open-source  application 
servers  that  are  out  there.” 

While  open-source  tools  benefit  from 
having  standards  in  place,  the  tools  can 
also  create  de  facto  standards.  “The  chal¬ 
lenge  with  pure  standards  is  that  a  stan¬ 
dard  is  just  a  piece  of  paper,”  says  Scott  L. 
Hebner,  director  of  marketing  for  IBM 
WebSphere.  “Open  source  is  probably  the 
next  step,  logically.  Why  just  provide  a 
piece  of  paper — why  don’t  we  actually 
provide  a  reference  platform  that  imple¬ 
ments  the  standard?” 

For  example,  CVS,  a  code-management 
and  version-control  system,  is  so  widely 
used  that  even  commercial  development 
tools  now  include  support  for  it.  Of 


course,  it  helps  that  CVS  actually  works. 
“We’ve  found  it’s  an  incredibly  powerful 
version-control  system,  and  it  scales  very 
well,”  says  Alberg. 

Look  Before  You  Leap 

Although  developers  may  be  pushing  for 
open-source  tools,  CIOs  are  less  enthusias¬ 
tic,  citing  concern  about  support,  account¬ 
ability  and  potential  legal  issues.  Product 
support  is  a  big  issue,  especially  because 
you’re  depending  on  the  goodwill  of  the 
open-source  community,  which  provides 
support  through  online  forums  and  FAQs, 
and  documentation  is  often  minimal  or 
nonexistent.  Before  committing  to  an  open- 
source  product,  companies  need  to  ensure 
that  the  community  behind  it  is  commit¬ 
ted  and  reliable.  In  some  cases,  you  can 
purchase  support  contracts  from  a  vendor 
(JBoss  Group  and  CollabNet  are  two  com¬ 
panies  whose  businesses  are  largely  based 
on  providing  support  for  open-source 
development  tools),  but  that  option  is  not 
available  for  every  product. 

The  learning  curve  for  open-source 
tools  is  also  typically  steep,  and  the  tools 
tend  to  be  aimed  at  power  users. 

Finally,  the  quality  of  open-source  tools 
is  highly  variable,  and  some  lack  features 
required  by  enterprise  development  teams. 
JBoss  appeals  to  those  who  are  “looking 
to  get  80  percent  of  the  capabilities  of 
WebSphere  at  zero  percent  of  the  cost,” 
says  Gartner’s  Driver.  The  low  cost  may 
be  enough  to  justify  the  trade-off,  but  it 
depends  on  the  environment  and  whether 
you  can  do  without  the  missing  features. 
JBoss,  for  instance,  lacks  the  development 
environments  packaged  with  WebSphere 
and  other  application  servers. 

“If  you  use  open-source  IDEs,  you  get  a 
very  mixed  bag  of  capabilities,”  says  John 
Parkinson,  chief  technologist  for  the  Amer¬ 
icas  region  at  Cap  Gemini  Ernst  &  Young. 

cio.com  Read  Chris  Lindquist’s 

TECH  TACT:  NEW  TOOLS  FOR  NEW  JOBS 

every  Monday  at  www.cio.com. 


The  quality  of  open-source  tools  is  highly 
variable,  and  some  lack  features  required 
by  enterprise  development  teams. 
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We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows.. .or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 


CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability, 
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In  the  same  vein,  open-source  collabora¬ 
tive  development  tools  lack  enterprise  fea¬ 
tures  such  as  transparent  progress  tracking 
and  centralized  management  systems. 
“People  like  to  know  where  you  are  and 
how  soon  you’ll  be  done,  and  a  lot  of  these 
tools  give  up  on  that  aspect  in  order  to  be 
done  quickly,”  says  Parkinson. 

Increasing  Productivity 

Parkinson  acknowledges  that  the  most 
productive,  “extreme”  programmers  often 
favor  open-source  tools — and  that  it  might 
make  sense  to  use  such  tools  just  to  keep 
those  developers  happy.  “You  can  have  a 
lot  more  impact  by  making  the  really  good 
guys  twice  as  productive  as  you  can  by 
making  the  average  programmer  twice 
as  productive,”  says  Parkinson.  “If  you’re 
going  to  get  the  most  out  of  people  like 
that,  you’ve  got  to  give  them  what  they 
like  to  use.” 

In  the  end,  IT  managers  need  to  make 
the  same  cost-benefit  analysis  as  they 
would  for  any  product — and  that’s  an 
equation  that  will  leave  many  open-source 
tools  looking  pretty  good,  even  if  they  lack 
a  few  features.  “There’s  not  a  long  laundry 
list  of  things  that  people  actually  need,” 
says  Tim  Witham,  lab  director  for  the 
Open  Source  Development  Lab,  which 
supports  open-source  developers.  “If  you 
look  at  the  feature  set  of  an  IDE,  there’s  a 
very  small  set  of  features  that  people  need 
day-to-day.” 

To  sort  out  the  wheat  from  the  chaff, 
you’ll  need  the  help  of  your  top  develop¬ 
ers.  “If  your  development  staff  is  keeping 
a  finger  on  the  pulse  of  the  open-source 
community,  you’re  bound  to  have  a 
developer  organization  that  understands 
leading-edge  technologies,”  says  Adina 
K.  Madrid,  director  of  technology  for 
Digital@jwt,  an  e-business  development 
shop.  “Then,  it’s  up  to  you  to  make  the 
business  decision  as  to  whether  it  makes 
sense  in  each  situation.”  ■ 

Dylan  Tweney  ( dylan@tweney.com )  is  a  freelance 
writer  and  editor  in  San  Mateo,  Calif. 


UNDER  DEVELOPMENT 
Electric  broadband 

Energized  Internet 

BROADBAND  INTERNET  flowing  from  every  electrical  outlet?  The  technology  exists. 
But  the  power  line  broadband  industry  still  faces  implementation,  regulatory  and  mar¬ 
keting  hurdles  before  it  competes  for  customers  with  cable,  DSL  and  satellite  companies. 

Power  line  communications  uses  the  existing  electrical  grid  as  a  distribution  medium 
by  connecting  computer,  network  or  telecommunications  devices  to  standard  AC  outlets. 
The  data  stream  then  travels  through  aggregation  points  on  the  grid  at  up  to  14Mbps. 

The  benefits  are  obvious.  The  electrical  grid  connects  many  homes  not  serviced  by 
DSL  or  cable  television.  And  even  countries  with  minimal  telecommunications  infrastruc¬ 
ture  often  have  electric  utilities. 

Pilots  are  already  under  way  at  utilities  in  Missouri  and  Pennsylvania,  as  well  as  in 
several  non-U. S.  countries.  Federal  regulators  have  given  a  preliminary  blessing  to  the 
technology  (though  the  Federal  Communications  Commission  is  still  investigating 
whether  power  line  communications  could  cause  radio  interference).  And  utilities  and 
ISPs  such  as  Earthlink  have  shown  interest.  Larger  scale  commercial  rollouts  should 
begin  later  this  year.  Success,  however,  isn’t  a  guarantee. 

John  Joyce,  CEO  of  Ambient,  a  maker  of  power  line  communications  equipment  that 
has  development  deals  with  utilities  ConEdison  and  Southern  Co.,  says  the  business 
model  for  power  line  broadband  is  still  being  hammered  out.  Rather  than  shouldering 
the  whole  load  for  necessary  infrastructure  upgrades,  for  instance,  utilities  are  looking 
for  partners  such  as  ISPs  to  cover  some  of  the  costs.  Pricing  will  also  be  a  key  issue.  “The 
number  that's  thrown  out  is  $29.95  [per  month],”  Joyce  says,  compared  with  around 
$50  a  month  for  cable  or  DSL  service. 

At  that  price,  the  outlet  in  your  wall  may  become  your  latest  window  on  the  world. 

More  information  is  available  from  the  United  Powerline  Council  ( www.uplc.utc.org ) 
and  the  Power  Line  Communications  Association  ( www.plca.net ). 

-Christopher  Lindquist 
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Want  to  cut  your  IT  costs  without  sacrificing 
performance?  PRIMEPOWER  Servers  from  Fujitsu. 


The  secret  is  out.  PRIMEPOWER™  Solaris™- compatible 
servers  from  Fujitsu®  deliver  a  major  breakthrough  in 
price/performance  compared  to  our  more  famous 
competition.  Want  proof?  PRIMEPOWER  servers  offer 
such  an  advantage  that  the  world’s  leading  com¬ 
panies  use  them  to  boost  their  performance.  And  there’s  a 
PRIMEPOWER  server  that’s  right  for  any  application  you  need  — 
from  single  CPU,  rack-mounted  servers  to  enterprise-ready 
systems  that  scale  to  128  CPUs  for  unsurpassed  performance 
in  the  data  center. 


Of  course,  it’s  not  just  the  hardware  you’re  buying.  It’s  also 
Fujitsu’s  30+  years  of  experience  supporting  high-perform¬ 
ance,  mission-critical  systems.  We’ve  already  helped  many 
companies  consolidate  their  IT  infrastructures  and  lower  their 
Total  Cost  of  Ownership.  Our  free  white  paper,  The  Why  and 
How  of  Server  Consolidation,  explains  how.  Get  your  copy  at 
www.ftsi.fujitsu.com/ad.  Or  call  (877)  905-3644. 
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PUNDIT 

Connected  devices 

Device  Days 

It’s  time  to  prep  your  organization  for  the  extended  Internet 

BY  MARIA  MARTINEZ 


YOUR  ENTERPRISE  integration  and  man¬ 
agement  strategy  just  got  derailed.  Devices, 
ranging  from  the  office  photocopier  to 
industrial  tools,  will  no  longer  run  stand¬ 
alone.  Instead,  this  new  generation  of 
devices  will  connect  to  the  network — your 
network.  This  “extended  Internet”  will 
expose  significant  shortcomings  in  your 
infrastructure.  Without  a  device-oriented 
strategy  in  place,  you  will  find  yourself 
reacting  to  IP  address  depletion,  ad  hoc 
software  problems,  as  well  as  management 
and  security  concerns. 

While  there  is  growing  awareness  about 
machine-to-machine  standards  for  servers, 
devices  have  not  been  considered.  They  are 
also  different  from  client  systems;  devices 
usually  run  autonomously  and  remotely 
while  performing  a  specialized  task.  And 
then  there’s  security.  Devices  typically  do 
not  use  SSL  or  other  “heavy  client”  tech¬ 
nologies  but  rely  on  resource-efficient 
algorithms  like  AES  (Advanced  Encryption 
Standard).  Simply  put,  the  integration  fab¬ 
ric  and  the  management  services  needed 
for  device-based  systems  are  missing  from 
today’s  network  infrastructure. 

In  spite  of  such  challenges,  the  extended 
Internet  is  coming,  driven  by  the  strong 
economic  benefits  that  it  offers.  For 
instance,  by  putting  devices  online,  organ¬ 
izations  will  be  able  to  automate  data  col¬ 
lection  for  initiatives  such  as  process 
monitoring.  And  imagine  the  benefit  of 
installing  a  biometric  access  control  sys¬ 
tem  that  can  automatically  and  securely 
connect  to  provision  itself  with  the  latest 
templates  and  security  policy  parameters 
and  then  automatically  maintain  itself  and 
alert  you  to  device  problems  before  they 


The  impact  of  this 
emerging 

“extended  Internet” 
should  not  be 
underestimated. 

-Maria  Martinez 

affect  your  operations.  One  leading  retail 
chain  significantly  improved  labor  man¬ 
agement  by  eliminating  the  local  host  PCs 
and  manual  processes  for  its  time  clocks. 
Integration  of  employee  card-swipe  infor¬ 
mation  with  payroll  processing  and  human 
resources  reduced  administration  and 
manual  costs  by  10-to-l. 

Unfortunately,  under  today’s  para¬ 
digm,  devices  integrate  with  applications 
through  hard  coding.  The  problem  with 
this  approach  is  that  it  requires  a  signifi- 
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cant  investment  in  custom  software,  and 
it  does  not  scale.  Every  time  a  device  or 
application  changes,  you  must  redo  the 
integration.  In  addition,  there  is  the  added 
work  of  exposing  device  management 
information  for  incorporation  into  your 
management  systems. 

As  you  prepare  for  this  new  world,  you 
must  adopt  this  mantra:  “Keep  devices, 
applications  and  management  services  sep¬ 
arate  from  each  other.”  Previously  infeasi¬ 
ble,  this  has  recently  become  possible  with 
a  class  of  software  called  device  broker¬ 
age.  Under  this  paradigm,  applications  and 
devices  appear  as  abstractions — in  the  way 
that  a  modem  printer  is  represented  by  an 
abstraction  to  word-processing  applica¬ 
tions — and  are  securely  connected  and 
managed  through  brokerage  services.  This 
has  a  number  of  immediate  and  long-term 
benefits. 

First,  you  don’t  need  to  change  your 
existing  applications  to  integrate  them 
with  devices.  Second,  devices,  with  their 
multiplicity  of  operating  systems  and  pro¬ 
tocols,  can  be  dealt  with  as  abstract  enti¬ 
ties,  dramatically  simplifying  integration. 
Third,  you  can  do  an  entire  device¬ 
application  integration — and  make  up¬ 
dates  later  on — in  a  matter  of  days  and 
weeks,  rather  than  months.  Plus,  security 
issues  are  resolved  from  the  outset,  since  a 
comprehensive  security  model  is  built  into 
the  infrastructure.  And  finally,  managing 
the  hundreds — or  hundreds  of  thou¬ 
sands — of  devices  that  are  in  your  organi¬ 
zation’s  future  will  be  greatly  simplified 
with  built-in  management  services. 

The  device  brokerage  infrastructure  is 
the  “missing  link”  in  the  Internet’s  evolu¬ 
tion.  As  your  company  begins  thinking 
about  its  long-term  device  strategies,  you 
can  prepare  to  deliver  something  previously 
unthinkable — the  seamless  integration  of 
extended  Internet  solutions  into  your  cur¬ 
rent  architecture  and  infrastructure.  This 
should  be  a  welcome  change.  GE] 


Maria  Martinez  is  president  and  CEO  of  device 
software  vendor  Embrace  Networks. 
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